Checklist
| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 47 groups and 107 rules |
| Group
@@ -138,18 +138,7 @@
If this check produces any unexpected output, investigate. |
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. |
| Severity: | medium |
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database |
| Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 |
|
|
| Group
Disk Partitioning
Group contains 9 rules |
[ref]
@@ -343,21 +343,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. |
| Severity: | medium |
| Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed |
| Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 |
|
|
Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -385,27 +385,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91492-9 References:
- BP28(R58) | | |
|
Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
- CCE-91493-7 References:
- BP28(R58) | |
|
Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91493-7 References:
+ BP28(R58) | |
|
Rule
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- [ref] | The sudo NOEXEC tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the NOEXEC tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
- CCE-91494-5 References:
- BP28(R58) | |
|
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
- CCE-83012-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
+ CCE-83012-5 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule | |
| | Group
Updating Software
Group contains 8 rules | [ref]
@@ -244,15 +244,17 @@
$ sudo zypper install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-91476-2 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
|
Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-91474-7 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
|
Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
+ CCE-91478-8 References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 100 groups and 256 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -527,15 +527,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -580,21 +580,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 89 groups and 193 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -477,15 +477,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -530,21 +530,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 190 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -477,15 +477,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -530,21 +530,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 98 groups and 255 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -527,15 +527,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -580,21 +580,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- File Permissions and Masks
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 4 groups and 3 rules | | Group
@@ -113,11 +113,7 @@
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 6.1.2 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify Permissions on passwd File
[ref] |
@@ -198,12 +198,7 @@
accounts on the system and associated information, and protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | | Identifiers and References | Identifiers:
CCE-91452-3 References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
|
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-07-30 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 237 rules | Group
@@ -111,21 +111,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
|
Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,73 +169,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-83204-8 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 49 groups and 119 rules | | Group
@@ -138,18 +138,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| | Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -343,21 +343,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
|
Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -385,27 +385,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
|
Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
- CCE-91185-9 References:
- BP28(R58) | |
|
Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
+ BP28(R58) | |
|
Rule
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- [ref] | The sudo NOEXEC tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the NOEXEC tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
- CCE-91186-7 References:
- BP28(R58) | |
|
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
- CCE-85663-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
+ CCE-85663-3 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -244,15 +244,17 @@
$ sudo zypper install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-91163-6 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
|
Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-91165-1 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
|
Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
+ CCE-91166-9 References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 109 groups and 275 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -522,15 +522,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -575,21 +575,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 97 groups and 212 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -472,15 +472,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -525,21 +525,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 91 groups and 209 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -472,15 +472,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -525,21 +525,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 107 groups and 274 rules | Group
@@ -115,21 +115,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,18 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,22 +279,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -522,15 +522,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -575,21 +575,17 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 137 rules | | Group
@@ -429,25 +429,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-85776-3 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -502,11 +502,7 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-85795-3 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -602,52 +602,7 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-85777-1 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
|
Rule
- Require Encryption for Remote Access in GNOME3
- [ref] | By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
- require-encryption to true in
- /etc/dconf/db/local.d/00-security-settings. For example:
- [org/gnome/Vino]
-require-encryption=true
-
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/Vino/require-encryption
-After the settings have been set, run dconf update. | | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
-remotely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | | Identifiers and References | Identifiers:
- CCE-85822-5 References:
- 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 48 groups and 111 rules | Group
@@ -392,21 +392,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -450,18 +450,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -556,22 +556,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| | Group
System Cryptographic Policies
Group contains 3 rules | [ref]
@@ -697,18 +697,7 @@
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | Identifiers:
CCE-85791-2 References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | | |
|
Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -737,34 +737,7 @@
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-85794-6 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 165 rules | | Group
@@ -127,73 +127,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,22 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Web Server
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 45 groups and 119 rules | | Group
@@ -209,10 +209,7 @@
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | Identifiers:
CCE-83261-8 References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SLES-15-010010, SV-234802r622137_rule | | |
| | Group
Account and Access Control
Group contains 7 groups and 16 rules | [ref]
@@ -313,108 +313,7 @@
guessing attacks. In combination with the silent option, user enumeration attacks
are also mitigated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | | Identifiers and References | Identifiers:
CCE-85842-3 References:
- BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050 | | |
| Rule
- Configure the root Account for Failed Password Attempts
- [ref] | This rule configures the system to lock out the root account after a number of
-incorrect login attempts using pam_faillock.so.
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version. Warning:
- If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file. | | Rationale: | By limiting the number of failed logon attempts, the risk of unauthorized system access via
-user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
-the account. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | | Identifiers and References | Identifiers:
- CCE-91171-9 References:
- BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 83 groups and 237 rules | Group
@@ -111,21 +111,17 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,73 +169,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | restrict |
|---|
- name: Ensure aide is installed
package:
name: '{{ item }}'
state: present
@@ -313,6 +247,72 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+
+if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -151,19 +151,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -171,64 +171,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1692,6 +1692,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1713,20 +1727,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -1744,6 +1744,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1765,20 +1779,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -151,19 +151,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -171,64 +171,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1692,6 +1692,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1713,20 +1727,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -1744,6 +1744,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1765,20 +1779,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,652 +7,652 @@
2022-07-30T00:00:00
-
- Disable merging of slabs with similar size
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Configure Backups of User Data
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Require modules to be validly signed
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Ensure nss-tools is installed
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Ensure syslog-ng is Installed
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Limit Users' SSH Access
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Direct root Logins Not Allowed
+
+ Enable PAM
- ocil:ssg-no_direct_root_logins_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Enable SLUB debugging support
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify User Who Owns /var/log/syslog File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_owner_var_log_syslog_action:testaction:1
-
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+
+ The Chronyd service is enabled
- ocil:ssg-sudo_add_noexec_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Configure auditd Disk Full Action when Disk Space Is Full
+
+ Disable X11 Forwarding
- ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1
+ ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ Configure L1 Terminal Fault mitigations
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-grub2_l1tf_argument_action:testaction:1
-
- Verify that Shared Library Directories Have Restrictive Permissions
+
+ Remove the kernel mapping in user mode
- ocil:ssg-dir_permissions_library_dirs_action:testaction:1
+ ocil:ssg-kernel_config_page_table_isolation_action:testaction:1
-
- Verify Permissions on /var/log/messages File
+
+ Limit the Number of Concurrent Login Sessions Allowed Per User
- ocil:ssg-file_permissions_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
-
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+
+ Use zero for poisoning instead of debugging value
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -43,19 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -63,64 +63,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1584,6 +1584,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1605,20 +1619,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -1636,6 +1636,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1657,20 +1671,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -112,7 +112,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -155,24 +155,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -180,19 +180,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -201,59 +206,54 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3811,6 +3811,11 @@
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83067-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3819,15 +3824,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
@@ -3846,10 +3842,14 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -114,7 +114,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -157,24 +157,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -182,19 +182,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -203,59 +208,54 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3813,6 +3813,11 @@
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83067-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3821,15 +3826,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
@@ -3848,10 +3844,14 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,3856 +7,3856 @@
2022-07-30T00:00:00
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Disable Avahi Server Software
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chfn
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chfn_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Disable graphical user interface
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- User Initialization Files Must Not Run World-Writable Programs
+
+ Enable DoS Protections in SuSEfirewall2
- ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1
+ ocil:ssg-susefirewall2_ddos_protection_action:testaction:1
-
- Enable Smart Card Logins in PAM
+
+ Add noexec Option to /tmp
- ocil:ssg-smartcard_pam_enabled_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Verify /boot/grub2/grub.cfg Group Ownership
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Verify that system commands directories have root ownership
+
+ Require modules to be validly signed
- ocil:ssg-dir_system_commands_root_owned_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Set Password Strength Minimum Special Characters
+
+ Ensure nss-tools is installed
- ocil:ssg-cracklib_accounts_password_pam_ocredit_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Configure Backups of User Data
+
+ Uninstall ypserv Package
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-package_ypserv_removed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Ensure LDAP client is not installed
+
+ Ensure syslog-ng is Installed
- ocil:ssg-package_openldap-clients_removed_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Set number of Password Hashing Rounds - system-auth
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-accounts_password_pam_unix_rounds_system_auth_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Verify that system commands directories have root ownership
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-dir_system_commands_root_owned_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,24 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,19 +68,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -89,59 +94,54 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3699,6 +3699,11 @@
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83067-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3707,15 +3712,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
@@ -3734,10 +3730,14 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -120,7 +120,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -163,29 +163,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -193,25 +183,19 @@
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
@@ -219,39 +203,50 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -259,19 +254,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -5629,6 +5629,11 @@
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83289-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -5637,15 +5642,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -122,7 +122,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -165,29 +165,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -195,25 +185,19 @@
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
@@ -221,39 +205,50 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -261,19 +256,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -5631,6 +5631,11 @@
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83289-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -5639,15 +5644,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,3335 +7,3329 @@
2022-07-30T00:00:00
-
- Disable Kernel Parameter for IPv6 Forwarding by default
-
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
-
-
-
- Disable Avahi Server Software
+
+ All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-accounts_users_home_files_permissions_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Set PAM's Common Authentication Hashing Algorithm
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-set_password_hashing_algorithm_commonauth_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chfn
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chfn_action:testaction:1
-
- User Initialization Files Must Not Run World-Writable Programs
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Enable Smart Card Logins in PAM
+
+ Disable graphical user interface
- ocil:ssg-smartcard_pam_enabled_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Verify /boot/grub2/grub.cfg Group Ownership
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- Verify that system commands directories have root ownership
+
+ Add noexec Option to /tmp
- ocil:ssg-dir_system_commands_root_owned_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Set Password Strength Minimum Special Characters
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-cracklib_accounts_password_pam_ocredit_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Configure Backups of User Data
+
+ Require modules to be validly signed
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Record Attempts to Alter Process and Session Initiation Information btmp
+
+ Configure SELinux Policy
- ocil:ssg-audit_rules_session_events_btmp_action:testaction:1
+ ocil:ssg-selinux_policytype_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Ensure LDAP client is not installed
+
+ Ensure nss-tools is installed
- ocil:ssg-package_openldap-clients_removed_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Uninstall ypserv Package
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-package_ypserv_removed_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -43,29 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -73,25 +63,19 @@
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
@@ -99,39 +83,50 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -139,19 +134,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -5509,6 +5509,11 @@
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83289-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -5517,15 +5522,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
RPMS.2017/scap-security-guide-debian-0.1.63-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.63-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.63-0.0.noarch.rpm to scap-security-guide-debian-0.1.63-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -178,4 +178,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html f7e8909d72560cf6cfc7347a55f0e14c7cc1585d526d82780de884f752997c4e 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html e0bfc478beda23b590e080a52942af78acf2794500f31a08722d31ef87c1e774 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 63e7bf507451e01fdc4d5f2a5ede8620a1eeae7d8d806ede31a48c88fc804f6f 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 9812699b472c863232c84e7bbea50b6d28a699bb9aefb55bb3f71e32af5801e0 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 051711f9e2661647933de3e23c967be35c744f61804a84acbaaed4565d2f9adb 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 122bfe6da9d4066260d5536b22869c2f1b0c866d87abf24581d4f9955c080a7a 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html a539e80929e6c4f068eba7367bf33393907d076334b2468a607c821e7b439750 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html b2a4c6dfb7ea92bbe793504755efec400a019ad2c2519c89cab263fd32b28cc6 2
@@ -183,5 +183,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 79ea6640b4579c06f99cdcb3f8d1d6c78c5d01bfa952e88f69113498a41d7dfb 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 47ae620e3f7c7c986c57d091a3d37f1a2056a5f0669c591761b38d13567bffff 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html daf9b8534ef1df496712b9fec2a5f87ec4d6fd519621b0e6d7b15b95daf3cee5 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 8e19c29c8292e1f452eb5323a5a0ad863a26069fcb6f53927da42210c42a698e 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 1b6af31ff16dd69b6faef0a2e5e92dd734f84062b5e4457fe6499522043c9750 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 1983f7d0181fd08be638e377b4854e8e39dad0f8249f9d3bbaf4d28fc8530bec 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html a5831c0d1cbf538cb56acba58972587ba0096ffa3d103d47634b7929c5a31d34 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html e943ba1467d0745c65bc205c35085ea11b5ac457d2834aae425543ca6656f51e 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 9d144d59067b21705da6cb3a6f5d292cad7420d73e65fc38d9e02744e0faff6d 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 16dd449ba7c4ec4d381f25b47576bfcd66c92b1ffbd5c547c8be18afec2086e6 2
@@ -189,5 +189,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 35e3d53803f4b4d69ee096a7f09e30e0835ea9bcf7f7d8bb3d0d56626457b9d3 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 3d741e89d058c70e40bce189385f7b27527ba8182e5bd6c7ba38ada35fce1714 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html d710c610be760bc166ccb7e2aed65e7f32cb9ebd7e9dc69c1c13dbe03a6aff72 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 0a11facde2f26a84ea842e387ecd1f3f0b08386369c373da5def19807bb0a74b 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 81a02c7a31ca8bcf63098f9a1a78801fb98c516f5c447a86206d8795d073109b 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 567e5fe727e8416a6f85b59d5c7b2dd8e19b7e3231049cf830a4a01f3f459f20 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 5e93df89aaa3a168aea9355b9e7104afaede5c55ac52865291df052a81425bee 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 26cf005f043b5f1928a70b7169dccc285dd4cfce97b4df1c01ab9648e703c259 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html acb3111173aa2dd469501de0c1e598a2df0300536f6d5c2c11ed312b1e88b13a 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 69f3886d4d2115082d359841fb94d72de75ba1fbfc4fdae06c7e158c4cb3f278 2
@@ -195 +195 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 578f079c324081415fc15f5cda0813f5ba492a0049bba285310b9f3fe3a240f7 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html c2bebdda843b538a24b2dc0bc05c22c89fdc48003dcce2a6e892138c032ed83d 2
@@ -238,3 +238,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml fd92ef54159b81a7349d562b65846c01c769bdef16dea2572f536f563a5e6606 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml cdf5973cbb63d19369e05801037b738f39ac5e3094476b06506fc75ff366274e 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 894680caf987f45b2550e6123b7e2747ab5fc0ad225415cc6e6082edd5fb6200 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml f58f6ea4a49a5666d2768832348082ec4cc62c18f18af192272c265d688446d4 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 92426ec71b0bf740315a181b14847bd70e83ca5bb9b6d8b0c3745614376654b4 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml e99b928117cb07e344b0e1aefaa27a42a171732d852c532be03e99fc7a642378 0
@@ -242 +242 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml b848b056b171f0ee4d92da474dff115d219ff696426eda12314dec116f8fa48e 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml e45632306485a314af2c5d6cf883dcc9a3fb8586d18852653462c4df19f850f8 0
@@ -245,3 +245,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml f8c540436b0abdd5a68161627d6e7a473cc513f5710232de4cb587c899819db5 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 8b715b6eaa1d0c12d7f423539b121da92b401bfabdeed61d524a73d4efd0bdf0 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml ed13d974259039b8d6eda7c4163b16b916446764282a4a59221f735cf112d9cb 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 8c4df82a3b45a48fd5bb5d660d0e439bc46a8b44416553ffaf1ad9388c392b15 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 99551ed4662d3785575abd4311f998e703116a7331e9df6e9a7f37cdfacf8da0 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 174fe3f37fc5cd4f10f335e8fda37e61d5db673c3268f3ebcf0b089e4824205c 0
@@ -249 +249 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml a7c79e5918ce629025395d37cdb0711c43e2382633ed9b454a3bd4c8b473c07b 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2c7d9a1bc3f599f52665b1e2dbda740d27ea99400cba108c871a6abadbfcad5d 0
@@ -252,3 +252,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 08c7386cb4776ba1481304d3146be5527eb98cc31eaa6c2abc701ba3b35a5e93 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml e312a6d5e0ceda54844d1ca15e5a4c03850e23fd6f528277033d343bfe4a70e2 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 35f5e1589387bc04c66fb77b773fccc07cfdffc43fa5977e0a148632ba2845d8 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 7df514d8f250e83d533afb69b7f1e0f2f56c83edaf294df8b11af2ec7829ebb3 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 655d9f80f6249ef3fe026ba3c59a076a9d4664d89b89764bb59ce5ee05e613c1 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 879e301590f6a756356cba92269b2616aa319325442f39fb6d75947f2635a5ab 0
@@ -256 +256 @@
-/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml d53c0f2982b44440607e5873284af8aec7a11f291a067b6ba7d88c06e6da9c12 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 95cd85e5f152fc29a7d5a84c23cee6498d8960c1ab6a76808e331806a0978e21 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 20 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,28 +387,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,14 +483,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
| Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -514,7 +514,10 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 23 groups and 50 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,14 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -399,7 +399,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -610,28 +610,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 11 groups and 24 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,14 +237,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
| Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,7 +268,10 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
| Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -339,7 +339,10 @@
The rsyslog service can be enabled with the following command:
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 22 groups and 49 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,14 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -399,7 +399,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -589,28 +589,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 19 groups and 44 rules | | Group
@@ -230,14 +230,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -275,7 +275,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -465,28 +465,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
| Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -580,7 +580,10 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -656,11 +656,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 20 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,28 +387,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,14 +483,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
|
Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -514,7 +514,10 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 23 groups and 50 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,14 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -399,7 +399,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -610,28 +610,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 11 groups and 24 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,14 +237,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
|
Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,7 +268,10 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | |
|
Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
|
Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 11.
@@ -339,7 +339,10 @@
The rsyslog service can be enabled with the following command:
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 22 groups and 49 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,14 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -399,7 +399,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -589,28 +589,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 19 groups and 44 rules | | Group
@@ -230,14 +230,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -275,7 +275,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -465,28 +465,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
| Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 11.
@@ -580,7 +580,10 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -656,11 +656,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 20 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,28 +387,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
|
| Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules |
[ref]
@@ -483,14 +483,18 @@
$ apt-get install syslog-ng-core |
| Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. |
| Severity: | medium |
| Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed |
| Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 |
|
|
Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -514,7 +514,10 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 23 groups and 50 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,14 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -399,7 +399,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -610,28 +610,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 11 groups and 24 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,14 +237,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
|
Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,7 +268,10 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | |
|
Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
|
Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 9.
@@ -339,7 +339,10 @@
The rsyslog service can be enabled with the following command:
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 22 groups and 49 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,14 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -399,7 +399,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -589,28 +589,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 19 groups and 44 rules | | Group
@@ -230,14 +230,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -275,7 +275,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -465,28 +465,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
| Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 9.
@@ -580,7 +580,10 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -656,11 +656,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | Remediation Shell script ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | configure |
|---|
-
-
-chgrp 0 /etc/group
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -143,59 +143,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,29 +203,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2062,11 +2067,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3119,6 +3119,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3140,20 +3154,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3171,6 +3171,20 @@
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -143,59 +143,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,29 +203,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2062,11 +2067,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3119,6 +3119,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3140,20 +3154,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3171,6 +3171,20 @@
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,448 +7,436 @@
2022-07-30T00:00:00
-
- Disable merging of slabs with similar size
-
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
-
-
-
- Ensure the audit Subsystem is Installed
-
- ocil:ssg-package_audit_installed_action:testaction:1
-
-
-
- Ensure SELinux State is Enforcing
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Configure Backups of User Data
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Require modules to be validly signed
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Ensure nss-tools is installed
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Limit Users' SSH Access
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Ensure syslog-ng is Installed
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Direct root Logins Not Allowed
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-no_direct_root_logins_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Enable SLUB debugging support
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Enable PAM
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-sudo_add_noexec_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Configure auditd Disk Full Action when Disk Space Is Full
+
+ Verify User Who Owns /var/log/syslog File
- ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1
+ ocil:ssg-file_owner_var_log_syslog_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ The Chronyd service is enabled
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Verify that Shared Library Directories Have Restrictive Permissions
+
+ Disable X11 Forwarding
- ocil:ssg-dir_permissions_library_dirs_action:testaction:1
+ ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1
-
- Verify Permissions on /var/log/messages File
+
+ Configure L1 Terminal Fault mitigations
- ocil:ssg-file_permissions_var_log_messages_action:testaction:1
+ ocil:ssg-grub2_l1tf_argument_action:testaction:1
-
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+
+ Remove the kernel mapping in user mode
- ocil:ssg-sudo_add_requiretty_action:testaction:1
+ ocil:ssg-kernel_config_page_table_isolation_action:testaction:1
-
- Record Attempts to Alter Logon and Logout Events - tallylog
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -43,59 +43,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -103,29 +103,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1938,6 +1938,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -1962,11 +1967,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3019,6 +3019,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3040,20 +3054,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3071,6 +3071,20 @@
BP28(R58)
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -143,59 +143,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,29 +203,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2062,11 +2067,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3119,6 +3119,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3140,20 +3154,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3171,6 +3171,20 @@
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -143,59 +143,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,29 +203,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2062,11 +2067,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3119,6 +3119,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3140,20 +3154,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3171,6 +3171,20 @@
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,448 +7,436 @@
2022-07-30T00:00:00
-
- Disable merging of slabs with similar size
-
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
-
-
-
- Ensure the audit Subsystem is Installed
-
- ocil:ssg-package_audit_installed_action:testaction:1
-
-
-
- Ensure SELinux State is Enforcing
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Configure Backups of User Data
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Require modules to be validly signed
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Ensure nss-tools is installed
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Limit Users' SSH Access
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Ensure syslog-ng is Installed
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Direct root Logins Not Allowed
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-no_direct_root_logins_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Enable SLUB debugging support
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Enable PAM
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-sudo_add_noexec_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Configure auditd Disk Full Action when Disk Space Is Full
+
+ Verify User Who Owns /var/log/syslog File
- ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1
+ ocil:ssg-file_owner_var_log_syslog_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ The Chronyd service is enabled
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Verify that Shared Library Directories Have Restrictive Permissions
+
+ Disable X11 Forwarding
- ocil:ssg-dir_permissions_library_dirs_action:testaction:1
+ ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1
-
- Verify Permissions on /var/log/messages File
+
+ Configure L1 Terminal Fault mitigations
- ocil:ssg-file_permissions_var_log_messages_action:testaction:1
+ ocil:ssg-grub2_l1tf_argument_action:testaction:1
-
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+
+ Remove the kernel mapping in user mode
- ocil:ssg-sudo_add_requiretty_action:testaction:1
+ ocil:ssg-kernel_config_page_table_isolation_action:testaction:1
-
- Record Attempts to Alter Logon and Logout Events - tallylog
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -43,59 +43,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -103,29 +103,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1938,6 +1938,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -1962,11 +1967,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3019,6 +3019,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3040,20 +3054,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3071,6 +3071,20 @@
BP28(R58)
/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 9
This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -143,59 +143,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,29 +203,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2062,11 +2067,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3119,6 +3119,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3140,20 +3154,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3171,6 +3171,20 @@
/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 9
This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -143,59 +143,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,29 +203,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2062,11 +2067,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3119,6 +3119,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3140,20 +3154,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3171,6 +3171,20 @@
/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,448 +7,436 @@
2022-07-30T00:00:00
-
- Disable merging of slabs with similar size
-
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
-
-
-
- Ensure the audit Subsystem is Installed
-
- ocil:ssg-package_audit_installed_action:testaction:1
-
-
-
- Ensure SELinux State is Enforcing
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Configure Backups of User Data
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Require modules to be validly signed
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Ensure nss-tools is installed
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Limit Users' SSH Access
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Ensure syslog-ng is Installed
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Direct root Logins Not Allowed
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-no_direct_root_logins_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Enable SLUB debugging support
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Enable PAM
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-sudo_add_noexec_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Configure auditd Disk Full Action when Disk Space Is Full
+
+ Verify User Who Owns /var/log/syslog File
- ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1
+ ocil:ssg-file_owner_var_log_syslog_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ The Chronyd service is enabled
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Verify that Shared Library Directories Have Restrictive Permissions
+
+ Disable X11 Forwarding
- ocil:ssg-dir_permissions_library_dirs_action:testaction:1
+ ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1
-
- Verify Permissions on /var/log/messages File
+
+ Configure L1 Terminal Fault mitigations
- ocil:ssg-file_permissions_var_log_messages_action:testaction:1
+ ocil:ssg-grub2_l1tf_argument_action:testaction:1
-
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+
+ Remove the kernel mapping in user mode
- ocil:ssg-sudo_add_requiretty_action:testaction:1
+ ocil:ssg-kernel_config_page_table_isolation_action:testaction:1
-
- Record Attempts to Alter Logon and Logout Events - tallylog
/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 9
This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -43,59 +43,59 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -103,29 +103,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1938,6 +1938,11 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -1962,11 +1967,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
@@ -3019,6 +3019,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3040,20 +3054,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3071,6 +3071,20 @@
BP28(R58)
RPMS.2017/scap-security-guide-redhat-0.1.63-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.63-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.63-0.0.noarch.rpm to scap-security-guide-redhat-0.1.63-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -715,14 +715,14 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html db45f773324f20f277ffae246358b629807ec4a16e1b15ab4d54b490bac3520d 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 61319b0ce66d787622025c76a45abc6e246132ab4670cffbc8ebba5d53bb3d7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 40395f695bac579f6b6d90f4968d2b275fdaad5cd7cd70ea105de7becd056d78 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html aa1a894d553f3e6d98bebce5fd47aca5004e72d9a421cb01457d8298e565c97a 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 69037302b0652969b7aae1133e9ad1ed96f56b84d321d05bbfb21bf3da4b8f72 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 04fe56964454dcd3fb51be59b8857acb274c0c43e62858c0cf43693129c2f73d 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 9a5aaf674aee6f6a19ef61113ce65c7ae77a3fa2d5af14f769c618844ffe9817 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html e92fa6f4d73fde8167219a2def79631021cebf6cc919d8f5d1d6ffc1b0881418 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 4872e4acbde46fe130bf72d83fbbb577722f0e823a00f22507f8557aeb8456da 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 4e4bcccf8129ae5bc9f570fa3282ca1a18970fc71782e0c3200d1211f8390fa5 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 68027ed6b8f71306466b53c58231d43bf0971942df68946c09416817ac980402 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 0e5eaffbc00de238060e2616c741995727cea16464a544d63a729f31a11982e0 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html f45e31429aaf58ac1c26e25cbbe945b9d787c044391cefde030864cadc537bb6 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html c999af5ccc5730ef2031e720fcf9948afbb95bdea85c90eb7b401f54d9b32296 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 37147aa6bf251a0accf6a3ed13d5beadcea91dad6d6c7ffef4e81920676d39e4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html f8f6677ef16943d5066361b4e9d725a498d84cd557b40393a0cbf16c0b2e2f95 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 7c74d94e578886164f0d247d25b519f882ac9c74e693840a0442c10d29460076 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html bbe180db07aff0aea480d69d1253e917c366d64e33493422027f654a7e99e5b0 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 0d98a3e908e6773fa15c91b647ad670b9c47624b43f5c4d68f68af6fec2ca2f2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 2a382dec6f6dce6bbc99509b1c8a1f9c032fc0fe08a6c5d2ae27f84e4adcf786 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 02c5e4761629e0a37436e0b01247b3bc4fbf2439f0ed32b998ce627ed9f2be30 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html 82b36eb77fcb86902f657fef32cb46d1657a06702ce45e2e355570dbf8ff1d8a 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html e6afe94b98444eadb1f32ecffb46d9c42ba2e70ee07acfa91884007cf3c73afa 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 42872a8927977ea424ea27184920d4caa31c520aa72c1ed812055de25533034e 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 307abe3a95408603f8de307a23a244f3bea90ee798923df151b1fc1df3fc2a66 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 806e19219011b0d1c606ff10494c031692247f27d7bab69b3d09cb0281ec9ce2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 6d7b53fdc2755d39a210ff671487e06f4bd623ea143a6abccde84e5cb412c1ce 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 0526f50d39066dbc153123393c6187cdc292f8aee176567bdb3e8f2be4625e45 2
@@ -730,18 +730,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html ef02324d7b809538cec2112572f413050b2a20ada2eb3a066547844b437cca2b 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 707f7c9072af2a87af1a1ae8f6b045392be9c7d295a07f478ebb765c4cd90d6b 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 716b9da0e4ac7f877ed7d0f7c9fe81fb889ab3da9d228fee14de7ae581f45c39 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html e638c59205ce378a1c9f0ed960b3aee18ea07eedd3659c7bba1464db2532b98d 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 656329a40a808817c5f6bd83ce5ca15b1c9a699868aabc58eabfebb8882c9d63 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html 003eca89beb0d44cbffc174c956e1717bcc4af5ace2d1da893d9eb9cb3dce14c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html ca18635d3fc88d12d5521ab4e8db706303d9af896e980c43dac62515d702fb81 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 393b4a12e4856f9ad3d2c611dc4cc7d813ab46822fda164ea8283525a1f8eb66 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html eacac78ba4ede150d052aa02aa107fc60bc81e2b8c90412716973c43d912208b 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html ac03708310f38b0fd61d1c70f7a1b616f101d4fd3b757e8c4e4dc11c49d12dd5 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 0983a84cc3da3e1340e611faedb4778ed5981d74b427df5b5343f96e675ef743 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html dcd12f8e56501d6bee8ffdd7990caf34f98105c97a36ec8150c9ee0d2bb7d652 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 78ec5e594889124f159d656130145e98fa82cf3a9499f932016a8b73cc4bca36 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 11e2a3c39373d4f88d847f44e18bcbe6e47d909d1f006063990598e041976bc6 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html b3aa76619e9527105149742661286b9bc6d672cc98c3c875c3311c4613b1bdbd 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html db246bcb8745a441a89a5be221ea814aa2c7c0e1c011bad471357f3d905ceb74 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 009f73f0b3bb4b446b9167e8069e1378dd5dfdd95d11c74a542f81a510367786 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 6f4ce8f9c6d8d5beca3c11ead090aa6c7370bca270e0ba535e20858751efeccf 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 739a4cae1df7d0b633a5a1f33f27d83a6456a916ec3c65ab436b6ce11fd7f864 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 884fd25dab10c6abe123758e7a5df1a9df3c230e90936f5698d2a202c87b2ff5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 80c34bfb62db520bb2c73515785e3fa78ed919c4e5ced7b484c047c8cab415e9 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html 6c5ce3dea8688315c56de4d4ed0aed0ae7bedf9f142ca94916b0028a705d0cdb 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html a06613d8407728353d4559185087d784b9d90b6ce5e9e0502ba78c11a6fc49ed 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html 8c4ac75161aa7e6c81a7ced1c4931414fc134e397290c7ce8877d039ab1abb85 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 3050d12f23f203c06074a5c71429b90bb6cfdd247cd0d00ebea6d64b396f8de6 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 3a4a145142c3ddbdbff24cdafd542871f9267c87c2e1d66a6f4fc03e95891da4 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html cdf1fac397e3580d8c00ab2dee09e0656781e73476eb3d286eefe3be69a2c77f 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html c39c2c6062e19b4e65bdb0e5d677c05367e4e1115bd741e52a6bd028c29fba9b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html fc31439d44a2e4aa8bbf8ed864dc7b799298422421add4f8e2927be959e08823 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html ae4bd91ec0bafaef57e837d2cf06b91f04f3ce224fa21cd01338c903fbac83ec 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html be74ee7900d1196d90c1b7cc9a9831572ad880030297dbda715b564bfb4dda96 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html be5a29eae922a49e784d2e44a832da8c3169c878a0db0e7d0b1f1a31e0dcbaa2 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 6276755e21bda698298e5d8b98511653499c7f066f712dc9d6ce1c190effe45d 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html f4306061d39e42d516d9b2183f467b92050e1157de9496591f2c366b1720e781 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html a1c0f6d791ab567e1b7d3a9738e1943127472e6aaa1331a1fb06ba6656bc62d6 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 7798d3049f7b084c6c3961fc6bcf4f1114f2d329a4a9a9523002a657d4371a87 2
@@ -749,5 +749,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 48752fdd8494bb7ed819d4d37f536113384f38c8baadfd6ca8babe3a59b36bdf 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html b08744826016bf755a427bf675f88cd58a12c1001b2beec6b69e6cf118429a02 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html b6478b0675e8eabe33afdc3e6dbc237f8356602775ae1c34da377a8452e08a0d 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 6683f5b3af58d2999f38e9b9bb828a53d9a1bc9d8373604620f9b7117b43b905 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html a06231ed83578cf9c0811167e92efb95f1334d56dbc1d74bac31a86f9b22e6f1 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 37a6908089c1d6833107902a51ae20d26334d62cfe1ebebd7e3d581e843f21ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 49436425dd8be473508ce97cf790adbd4b9642e33619288f2dbc8779591d01e3 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 3c158b46aa878604fcc3b6586ba48f10f1ec41f5cf1c914bcd49cc22253eadf3 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 1a3c25311cf4a248978d6a4309c16ca991edad2f2220486136565f31d016e0b6 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html a977fc0a5b72abda5d0a29101ecfd024544e878be10fb263375a233898ea06d3 2
@@ -755,11 +755,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html ffcea946ca6b9918067895ae9779cdba1933bc07aa5657c24d367447c26eee8e 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 21613dc130fde66fe006b84e99cf3dca1ee17a06422a3476830d0ffffbdc663e 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 349de389ad67750a09a9eb9e8079f402c5a695022774f3944f48fbfa22e47631 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html ebe8a760d548a9a53479fb4cf2ff4f7e23c5b4dd88daa6cec42e3b1670588818 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html d72f7143631ee8b90d022b0c808c1d6efd5a25db460d645442f36638a899d887 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 56789adecd254a6d918ff3c123368a7882a41591108dcfe3894a9cc27a27813a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 88186d194724ce0ca8a4c9464c079f7fff4bc3664a4e218918dff63b16611c33 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html fc85a7f54edf5fbef453a1a47a8afcd26ab1368aaf1c2ec81f6fa34f6bcfb1c6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 479f2810afb3bdfa31b8db5c5aaaaab601b5b2d2af583dd07f3d9934df8c1676 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html f337bd690881fe311fc72ae8172f88310f42b3bf3487d68bdad792bb1cfee8d1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html ecb73f6532ae6c60eeb8ec104daa32cf816b5f7d96e44d64411297b53243cf82 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 9543f04ae075b0580cfbb184762932bd51bcf217e7609e39c7832526128ba56b 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html b7f8efd5bd8bf86f922062e19d978d4c3819e8ca4d80946f048f3998773af28d 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 0cce64ad0b05d58966158f152fca18442b643b45ab05220023587ba5b077c95a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 487144a94b57d229f0f390d087fd4e11de656ef9f83cb1f6f61ae89c811f5ca1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 82f90a7d2a2de4352e8f57a851cf251b39ee15f19931bc4a69a38e2d53055c20 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html c4343656e8a730650ab6b89e53d027b9e51eac3103485b4e9bc6075ce933d756 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html a1acfa3b8e39442dd690f5495f35fa2faa7f3dd68ae1d71ac2bb9904ec3dd60f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 21a01091d67a6807a10c737e005d27510991731275eb4121ee292e3848eeefdb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 33809dbe6da90b15188887b2caf33e669934d9d1549f6a18ad70bd625251dcb4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 07f1984dea63ac1e6396d53ca271cb3defa2c492217b5130a77c2df43583f6b5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html a8e318bc0f31dbd1f104b55c7dbb8a1c15c344510d2f03bbb623088cff03fbf9 2
@@ -767,15 +767,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 446199e13b75eb5386f7a68f167fda9b7f4dde15f6e4c9da912ea74db627c01d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html ac5f2568e42a3fcc86223068c7b271627e335691408b53aaa879e14fe9e63d5f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 897b2879756cca0cb3821bff4f4870f81a65f4cdd1b5ca433b427615973946ea 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html bf427e5d07de16722fd5eb8d80c992f0332073607ca677a212791ae880006710 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html d310a5db5934c1531d8c79c21c99252a25e37e995e1108abc5f32a8c38f689c8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 415cbf0b5d0fff04b17b726f99c42ba3d3f68bd8401937cc2878bd75b702ba69 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2fc8ef403ca78b4dcd67b5acb9615a5a68aa3fb6a1a32fe6810569defb1d963d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html e4d3eb9a0bb9700711113170c38e940c480d7ba019d8930bc827aa40c73ea5da 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 41a0c82205b4d1fd09767d581e7cfb425f4f39ddb50499afac8a4573a694122c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 77e620b265c4f50508cfc9b0d4f945ad8a87c3611de98600ee7de3f8126866b0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2c2a2b95701b317e406b2922609e54611a60d6d605f8ec4b48e6dbe4cab06b04 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html bc315a6107c57ad801004581627a46454e8cedcb3afb3002c2b29ec59ffb45c0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 753183c99a912a251b83e6c7d784cd7bbcb413b12fc7a1d3bc12a552461ab4cd 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html d5598a512ea66bc50adfeb9a845ec8e41ec333cfb4381788045769aee350daba 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 483ea1ebbd9022f0c591329c732c40ca369b1c643e1d7db348affad9bd9767cf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 62232dfef13e434ec81da3a73a661fe4de145b5cd81e850448f3e6f41dc5eab7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 2bf15906592a16507f34bb6407bfa6cc3de3a34cfe60c0a63d8bad23f478a0dc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 4be817bdbd758d9044ab62ec178c811588d9f63264c4cc33cb4f181b1cbbcccb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 7b2c54647ab5a68256f52682571937840ebd6aa3907f9c876e1cfbe1a881e326 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html b9ac20539bf4a433b81bf2adffc3ed72132714d83ee9158952254bdfd8ac6881 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html c52cf93f2c61d2b57f002a95074ac381aa38d5fcff6d61506880fa3fdb164d8a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2829ef2d6d46b0bc0a1a9000ba647536bc9e21a3f660548ae086d8297c3193a9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 5808eb399a28a0d26ab2b12b744fd8edda36932035c0be2e18beaff33cfcbcb3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 580de4604e7aa8572e282c3c0f2589e4807d4faaedaee5f1036a79c7000ae91b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html d7d52b65eb3be237af57e85e5401c64a9160e0665005e5106bbf23ce37a9e0bd 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html dd99d6bcc98d026a99333ceaf10649a8fa56bbf2c89998f45143ebcb2fe21278 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 938b92ce058acf7e178118b26a6fe17d48600a3f78d7030a9ab11497668fcb5e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 48e9d53f3d95d375309de1bf8a0911dbe05de5a04bb76dc3c848861c9018370f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html c26992d8ed999b726b0efa8e367877bf4700f17b3fe9d668026b980a905e4231 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 19d53d9e3a2b16ca88d382c62e814973c6ca57168f10703abc732725a9663bdf 2
@@ -783,5 +783,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 162b7eba18e08c2de7670d9665373836351ef2f27a6e5f08d99c5f790e1c3703 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 8d13544491f409358608f57755e003149314ed3282cd0a2985b284e322e85fab 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 1b6fb17150cbdbabb7e4b9c7ae7b5f74dd438767e30d0112ec691768a721db1d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html a88a9d6aed836c86a106aa7ef4214f8a31b54c8a2a2bf065dacc053b6a220538 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 0d67aead79e4a20c93f707827ba672ac77155343affc2bed79a98198e9e1cbfb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 0c5f1bdbb33ab9c7e137ff77893444db9da4362039dc9a692854b017bce1906a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html f9840cc64fbbbd43c97046b040c72573162f32fa72d676c346b12cc21cd56b9f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html c315ce5051c7071c0884c30a353d76ba37c02787cb5ee1395ff7875b91cadca9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html a0d7f5118b34d9401a4abc9f9f024e43d7bee321e1bcb359f7795ee2b003e2c2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 9f918d02b22643f0df5dfaf89d1d952b55a0cf4da1e164746993f18750f854a1 2
@@ -789,8 +789,8 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 48f0f8412647ab5433f70bb6881b08c148d73b5a7fbea58f2282b68994b94c1c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html f967d556314836570031d70ebcafbbe77c57944c6b5b5f4720fe0c44978ef5e0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 5e7121814adaf8bc6d2f9753d867e6cf3bd28754d58619e9ff8c2005d732958a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 448188cc444b59940d832fe7343bcbf134af96b0100b7d0d5567684e9eb8b196 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 895527c4da85d7952b63c2c647dc472c1e38970b0217f97abad60c2125f0ef52 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 01970d7900f3ad524aa6648c63640882d78272344252aa10a51a8e1020e8f12d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html e8af5be5ab10887bad4db717938acc4c7b7c88a6a18c147d96b2b06503fa80e8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html d2c9e2f5b53079faf713b351b62f23c584bc5fd784684c8723724a539b091a6a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 5dd1c08a78b8ef426b076195c6da7dfae73ae64bff4ba1ca020393f10a561f7b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html f01b9735da8ad943a157ec8fe283927f59b079c4869c69b3f7d693e6eabd97f7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 06b017a5fac1a289156e6bd4c13731af0d3937a08a99f4f320da51949dad4651 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 1365d23eca89619803e2be0e1a9249022b1d65538a7569083546156e24f1678b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 15002f2b77985bf6cc8217747feb10199c43f225a0504cee1d2e7cc90d9b0f91 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 0bd8e657de8715edc9f75a04cac04aefd68d10ddb2ed72b40b6667e6358537ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 7f944d2beb3108833fd645b759be468cf75249c43b575065c9f5fc249b764cdc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html a28a4b9887fb28914e4da9f3f537497409687abf59d86f783cd4dc9a37f3d2c9 2
@@ -798,15 +798,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html d67a728c47a3c471e290c2571a6c7634d8cee0036c1b0ad2ed76a2b12bad0541 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 540791cc8c1375661f27cbe5123af94856870f813a2990188f7ce16526e0f1c4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 08ed5e72b894d55d93a839ad02c195419e1af23517c1e4c5ee4a4e2db37c558c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 8d5d1a43946e6c88433dc5e85ece188b89dc1f1e05daa0cf512d8f57e90eeacb 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html cfcc0a1e4c8c35fa4586d69eefa3804d168048560752e0267a166bd80554bc8b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 6e86e584495ebc42c402d4bfb5f6e43fce3ba9ce83165388014046ff2a1fd036 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html b6c7a1d2895e067ce565d43dfc3b5568d7698633d1e15aede75c86ccfb06ad32 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html da89185b2958e27c64e393bdadf071cdb1b710907725c5620e22907e92b1253e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html a1a28f8e2cd9e345496eb68cb7ad2ef432f187a7b7f4d22a7dbf5b912449b13b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 3f7f3f310ab1d6d62482bdce8f03fd1e4a533594ff3df7a4f2ae112b444bff74 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 6ec76104eb60a975186e5767602948c77a178cf3acb5d4a3eb372d0eeac94a16 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html f986518b03f9f82ad233e9af0aef3f75d794efd64d2f3d37ee3e6c5a0f3dbfd8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html a6effcfa1e350c81a98585d17b4556d6bd807c7ce9f3c8b5a1c45ab3012149a8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 0318415e5a2d295bec901865eb821daa4189e893a30d04db0ea9567fca7466a4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 93d81d7174a351b61d55d6f55d9bc7a7eac96d255f3a30914aff2ed5b7fb4b3e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html cdb041c6cca6077fc297a484f0308662dd73ad7ac1e09de540544d21be22636a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 8bb97cad742b21e6a58a70fa0ac02d912b233c6c5aeab7c5f2dcb9dab6672c6c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 91cdd64c13d5fb8890aad646d0300b5511bb3d70208202fe22e32e62b594aa88 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html ab09884ce107207a6779217a1b6d9bad7a212a3d1b9687406881304926f7d5bf 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 886deb48eaac69f5afff79cd5f6f6a616f70b89e8b34e9bdae1da082a5c01829 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 79e6546f24b34d281ed7c604b70384530ef4d63ca62315789252dbbc15b80102 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 1a1329923928adda6093cfd6397778f69d644077664c832692c9c300df5888ce 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 221540eae18f7ea29add0d1d1d6878486ed421e5799a410bd4b95009d397d9d5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 299ffe7433dfae6bc6e5920345409c7c32d102a263e537c574b0538b9573d766 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 1cd34a09a60a224cb18baa5649019398ff3fdbfff466fd389dd69685d390c8fd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2dbd688226be579d4e67a84e356b71cb08a723c36d7d977664f76d72d7d03350 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 55683e6f2636dab196a127355f27a04fa3d1bba04a5ce3fac545d092ba6d7538 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html c80de4fcce816221d8a4675668d330769fd396012e25e33719af4c26adf49129 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2d84b5ccefe826f50c0fe2bc7f19bb70d0194b8cb48e1e57f96382503a848db2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html c0cd7fc4f2f24fdc086178c693c148afc156c45b49b35cebbf72e27ded3dd098 2
@@ -814,21 +814,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html d93662fcc9c13d53afb585ffb49f9a08231beed362c270f2d749262d3b02f299 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html fdc9ff94f44cf0fb28798b81e7520b36907cdc38580a8132d194b661513d1f58 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html bb14a925d98a405f4f225bd21e21352abba40ca8edad58c25b7550323c06d612 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 703a0f68def700edf457776db79fe10dc0594e200dfeed698ebdb44dddb9821b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 8e0f32365cc99a8601f3fd5b9d41a5df44c9664a158d2ed636305fbef87a85c4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html b86c595eea459ec74eed0107ef534d165c598495dd1342a84c0690fc1e0d61e5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 1cd094a59134c96cada317a9b17623087b23afdd6fa889a23de6139fc501983b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 1dfa227357cdab57323de27519b59b3a528edbe4aae967570ff36c0c3c4fb7b3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 7827ca6e63921bfb84d2e888bc24393d0d27763f43db716de22cd718617549e7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html b6e6d19778843abeafc00acd00f32d2d6d72665eb602dd91bff11ee5b712af20 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 3f0419dd9c972a68588bc1b849a972109d9661cc4724b4507ee940e05ae773cd 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 5eab80bfd2573618691b34c163f913244d36fbf97beb1fe05a68520210706e55 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 3f8d5a34c1ff1b29a2e9b1c41397ee60b0691d2cb72fcea71f635fb4e871abf0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html fd0a5aadcfc0083bee00b3324286b72ca5fd40981a8f91e8eea42193257005d6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 9db2dffe180e2b06e9c83a792a5926fbc3afdd9b52dd1eb33585ac8d3080b811 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html fc217cff260c999f41ab6ee69c1d7bf90ea8eeab21690e5f1b8cab8f7e565b56 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html eba247bbce45b02f413cf468c4c23a0ae5fc7327af677695dc950a589dc7b74b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 8ce7766c3d102ba3b6b5bd6ce13040afee1a0aa435fa4edeb033b934cf4c5cb6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 85ca1556b0b2d50769799a9ac368f5caf44c3e3253f152c081fc29d0df1ecaf6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 8d564a17729b0bc9c6310755ee6162d4d81cf341fb76a9ce62d6aa3af8612721 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 405c656f9c574ff844abc6fc356679672c9adccf2edb3ef990b3313ee239d1a0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 92c24379dfe421695b0ebe20a3ec7dc0417d53f5938f5bf4a1fcbef4fffefe1d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html cf580e0f16c5b9f45c063766296ed8dc8a787fb69740b22465b241e8fabd070b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2997283638543dd81ebf7dbb5446d1cc992c10fd0c97fad521466f5f61d92cc2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 702826a0eae79f2776bffd05338b4f2116c0e7dc647de09579d798b20da03953 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 23e5c71ad5edb6dff1565fcd1b076b3e3fc7cdff743ac36020d24b55d67c2e56 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 377f32b702addd4a7872b0e5aad48e66f40804a8f4cc73f67cf911ba580c1949 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html bb6595e60bf30b313df2efd8034aff6fdc36227182f3001ac2bc0559315143d7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html d4f0b7f5e406332913ebe2ba7660cd02754a558f81baa049544b1c6cbcab7204 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html e444cdb0943aff566d2a2e2c904cb7f203ceaa3568757e1318736c73e099396d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html cbc41683c616000c5063a513fb1048b527a031a3b19c0cc0f5fe3f2aaa4de2cd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html d3b20f7ab0a492de4284d22e200b2c292b692d1039aa80476f77c669434b4406 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html d6ee2bfddddb6cdae0f08d5fd9815060b51c58c7dcaaf0a5899d0eb089cde762 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2a327a1161d6561e83438ac2a9e96a937bb263f5fc19e3aab0ef30d3cc41fbaa 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 161b1455780b311c045fadb6e838f285e7f2071483bf47c3c88ef18c39cf93a7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html abdf8202ec0b8101e8b1bd5fd71c4dd3ce73f6cf9bc6c2b97922f740bd7d7f2e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html fd3f65d3989e7bdb68043416a4b80f592be7e70661ce0af061faeee0cf350625 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 27aa1887226000847ea0385346895f2663d52e2f8bd7ba6bafbdc51ec2c09358 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html df2e066574fa4b99296341894387becb675c5853db962ca9cbc4bb4694888639 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html c50f45268f94c234372ff691f105b145cb2c79c87fe756d633ad656d87d7f0ec 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 8333767fb1465c844bf8c084cc2e03203e5da136137b46fe04c37a1fd358749d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 42aa07e8de34668ac0c03ad99d295df2f9e9f935b7a0e15f395e1c2aff7d6b78 2
@@ -836,18 +836,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html e1e8e83d2324a5142d15898e3b8a885ff5fd5b9442c542ef5621e6ab2230040a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 370992ba8d7bfc107b496e98fced20a1f2d39fa8be9ef3265797159b4ee229bc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 4de925a529228b72b3115c7ed81962eadcdc3f04d530ca1373860ce5e8cc69df 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html a2cf555b6c930ee1c12f62390429833511e9c7d3fa9a8962d6b130f00c0d4d60 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html a92d9a4537b7d8d4f4ec82e829754c75aab15a96b650a7bf14675a37b278b8c2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html efcfb41086f85a20e6c32ceab32312a3b1bda1aeb17a43a13a518b9a1a2ca72f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html b11144f471eb57703d600ac30b249efd592fa484375a7ba4cd06bdff947d300e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 3d434bd864ace73acd3f8306c28f52d925f3a50280b37dc38e8333b3a1c1c15e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 814f1a5caf776b6819401ac7afbbb875199fb5a92d1f4de767128552f3887f5d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 9b8a20b9be3fa0e4722901b4d6c7abc5b807eb95717328382698a1ed9d11425d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2c93793d3f0248e5de1473cf14366ef16617482015814914363949da92b63e69 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 0f82d7371c865c7054baa72427be14db7f5e8f853b50dcfb844418a9794725c9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 6d32dd5c5ccd6f7a650df33ad5dbc0404f8e78c191ac5b8f2daa909dbabafda3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 96937d0d8e9718e7ab1704c9f3f298b3bf3da2fce31e741bdff2a444c781406c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 6fcadc980237d64fbda9065b1c85ffa58ec64c47e3a690887366fe426b0f9bcd 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 6efdb6852f65861d2f4a31e56a56b07e3423b57a685e54f82ccc5be3142f932f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html e048a498deca7c1af0bbe363ce9eac48a781f2f48b6a207d56546e37e91ec052 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 5d7042dfa41b5641c478ac9e795fa9ac119208cc0d22acad7c277bbf4e43b407 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 621b1271bb4355cf6e6ccba884d5086f495dbd7a424cf84f3568985507905fae 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html a2082ab7b00d18f172bfb570295556918b5110a7b53ce6bea79fa35434852dcb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html e15ff2a9bed41d47bfc3dfb4bb6b4e21c57ac2fdb7607335d32159806d75be36 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 05463933e3b5008556e2b4d0a07a04ea86ce45268ab57e75a443ab4f1c7f1e1f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 623a6ee75d19bf2cc0f6a252c5eb2c1af26be86623c75accca65be3ee6ce2e6f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html c148ea8bae30cb2903f83f241c5f4d1331dee756591e610bf3cb6d4948836954 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 1d984a9b3ed2bcb015b9abd7f44630fc21960c16ec99dfa91cc8611a06f7ea3c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html ab912c14c1ee2297ce1261541fca038d6f95d77c818ae45b47342e9fa791b5b4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 6e5d713a59084173520adb6a0506dd2de13a80b6440f1cf17a8f41a3b4e002c6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html c2b8dd139dd80344a0562e66697a9c332490a8508f21ca55d16c394b96eab4ec 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 4511cd64febe894ebd990093179b73314edbee2a77db70f3f12d72102da02282 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html d620a4884ba97a98444aa4c5ce2962c683bebe4b9880e06833f5cfbdd293eb7e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 7703c3c1bcb86eaceac8a4c19eb251c720a245fc822e28feaf9aca68ebb890c7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 5395303fb7dd073c210c532f9af284783025e88837a788332db718904f520660 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html c900ea5338cb7f094df043e4c8ab9e7ab62039fc8c5d1c8ebc6c2a5016a3719c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 5c6f3b8450db35b0d25cc05908c841cc479c44e524b8c9e3f98e3de829312cff 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 99a43c32f0a39583526fff1149b8208a0944574b4c554e221b05e04133795800 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 1d9be0357231bba5a804da3144672ec36c3b5eb78f48883f642aacd6c23311fa 2
@@ -855,5 +855,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html f438f92f2aed8397764b54080dd7bb222b2fce361101d424c4218b207b8130aa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 6ae31c3e5b474ae6b71473ad166fa757bce05c4138dc2d3ba91a91efdc8573b5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 93924ca91477779c5e0d1ed6c5e32bb506129eed1f4f655331106c6244b44a7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 8231a69ba2a8ffd95e2f543ae0db228717c6572a307989cbcca95b4d04790589 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html f1e507ef7025e9dfad51ddbb366e29a7f50b1dd9f8b0a1269170511c902b8d15 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html babad7076ef86ca6e902f51b64f4fa79e61f1fefa90d82c314657c46d0cda941 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2634765e4a58f7ec7e89d297858eb38f825072a5bb877559d724b96d53e3a8a0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 54087f23a531d1c03c6667f4fdf08dbc5d84b11556473f1647ac07168750ba3e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 2678f7a7c5b2d954c8fe0bc6040f07be7ec6cb9af8e5f15a62a320064054c520 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html f99832dc7dae7b566a81c562fe5aa42bb5c8ceb5e1777aabd6119dccea0e852e 2
@@ -861,3 +861,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html bb78c9c8fb86ed551e3c62fbd75bec1700e4aa8eaed744a0a4d9f3cb109d50ff 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 8d366bd62de3dac608df4e1255a5facbf843ec90ab090845682b97ee13cf235f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 958c29e95b620f74abf33f8a87ebb18e2ee1f2236ee444c6e251ace52be9291a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 3462ad8db769a3b81142972f57ec19bc8284791a8aae37589f22f6c23d914313 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 4e6cc7d50e82d0b6ec35beb968442134842ec76d6c981ac71c136cb28eb23acb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 3e5786035e9ce1098115607d65c2b8b8bf4014d68f8e2d47ebbf38430a947f69 2
@@ -865,2 +865,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 539cbbba2a9b0f4ef20e2546798d4aef626a597006c60dd3d7212b2b8a9190c2 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 080879de062c6f17094b2e65309ac1d7a521325bd8c645ecd1eb16c6f3adaa87 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html f5ad57573da11565ef56358128772f9c0e380433033f1a8adaebeb8897ca49b2 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 9de94b1412612c537867a2e255bb070ce60cdccd2643f0ea098b013ac4a68032 2
@@ -868,2 +868,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 88cb2b90e7a78b2958e2144ded90cfd6b2b833f65285308f44032660d1047d6b 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html ef034029d5ef74267e57060397d2a6b06d34845c409e6fe1b81b1dfd43cae795 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html b4396652afcf4e641d0e4cb1ea52a402f5b8b170c3b7c632fbfc44aeb1382111 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 817b1ffdfa06bdf310a2489546f5fa20d7459d117a73045d30ff0b630254ab3c 2
@@ -873,3 +873,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html df5499f99220ad63eefa7a654b117e4b001f8d235ef755c625a443be453655b2 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html c68438596db6f38c019856ab01b7e4016fac468a95ba8f35a29b8decd83a707a 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 84c0cf36b6d96d540049b3ad1d3bc2a3031bab42cd4db8f6211588e31fbe9db4 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 4730322ad8e363b9c4de888ce35b176f646a8a1d3f6aea6269303963286c4401 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 48c010e34a97cfdf84284b2f8dfb57bb0efee1c3b260c982633b3a5ad18395a1 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html ac9325ad397e429774829d33a8eed0347fdc1fdf6c7a0c509d1997472699621d 2
@@ -879,2 +879,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html e826ac0e2f3669af103ed5eee33632f59971acd7d2b9f79829f2d93b8cf30d33 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html d39a33faf7c47ffbbff20283f8b425a5df7e885e83df432d27b4fe8ae46ee347 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 6b9a7920ad626d639c33c3a64f120e8b4ea4e23f26e1d1baf726cb28d4b11101 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html c318b531a3caa4bcd8f1e9977cdc99a0c4adf0f92866854c6a2c3a60ab4fdfaa 2
@@ -884,2 +884,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 358d863cb1c5a5657379f000ff87eeb0364ccac344f7af6612c2ff888c067354 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html bfa016a6c5d6052c54fc59ea4ab6e50cbc355b2cdb2fd747940570135a789edb 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 3f4e7a48408043a069e62733b2e5b9741cc0c4a8f1340bb6ac7663eb66e51ba6 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 5f836d28198c76394f7124a8965779bc324813c56e311c090c09e88809fd2ad8 2
@@ -890 +890 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html a7dad7069315b6b9ae778f1ef990b303b3deb791058a780260c24629bd629464 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 4f9c221d9b9c6082fe4f4a8a1176c7334ed7b837160542bcabba13e6c662dc96 2
@@ -895 +895 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 6d0a7481e5bb35a82f8a1a536165d630cb0dfeb37dbda513c042d61d9cf2a444 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 5f2c20a4a4a9f9fdb9dc511c202f5a1096d8b088848d328c948b778d1efb8109 2
@@ -897,2 +897,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html ce344615ef2ca8cc127aac70b606eff4fc36b7e2324200acc98694c75f59a880 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 226f4f7c589879b588172c725aa3c6fa2e78de97d37e99c9c0e822df27ecfa55 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html ccaee786861f8faca458f21f3457b3fdef94e9af3ec8df637424316989a1b8c6 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html c813a8a2542103e257f9d74c00af006506d1a272e5373ff30673e59cef98a233 2
@@ -903,3 +903,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html ca7a073ef350f24d7cd4521c27550cbc8dd481bd26c497f973de154da1e10fd5 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 7b1e51e63d747f553563e8cd415127522dc61d3d69fe13856cacd0f2f6cbbe3b 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html d2c29e829da9de5bfb76529c7a59cd6fd99e0125dadbae36c988c15a48ba663f 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 8fd14e425021e5d13909d28d082643c108b169a40012e9b2936c39c8a50abb5f 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 5648e08e66a6094000abe88c89cab3dddb242ad36d0754b1e70c47e9cf89fa78 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html b78c7f54902116a7b15b93f42699a980feb6a8392899efc8495778e0e961b219 2
@@ -915 +915 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 7fe274ab381e101d36cc8fea322d2cd7716db940b11c50f0cdbd29970147c3a3 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 9b85218bb7122e268a11fe209897fdf3407385afc2feb38de47d8bfa65f8e97f 2
@@ -917,2 +917,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 9d9d5cf13fe3891d3dc5eaf83f70297f2a3c81b7e0e661173840b3b6e81f4515 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 141b091408499dbdc788230a3e043a490e9a2a0053eead448e250705a7defb3f 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html a35fbb3c39ee0aaaa5d4833a4d631d692e55a071d3751c2fb22c17a950d12488 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 20fbdf74b807776737fc7cfe235fd429036fe5472bae8dccdc41d06206636088 2
@@ -922,2 +922,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html b3fc7cca36bb700b6ee7eb1413d132f8fdddf8ace3e4eb6bd4d0ad4acda65ac9 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 0150c1c6c42ac0e4ecbd7f90f60152ec1a1d6292ee9f0171aa9544648c109d3d 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 8e8c910f341bbfc4a8825b0d6f3ae4052a655e4d5bc4269ff5c7fd7b3ec8872d 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html f0330d578a9a94d024178b880657e11389f27d6ee02fe2f92aa264095e87962c 2
@@ -1249,2 +1249,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml f37569298cb6f7d2e607ef37397cfefc199530f13e46dbf5609e2cb7b9b1fedd 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml af6fd814108056ce9cc0e9426a40ece5f6794f73b721ede87d8c850c21269b91 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 70b1c9ff962dc06e0b3d88961cad9f2319991f051f0239f1f26bede8fb4d8a0a 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml bc3f92b50cd5742763fc3cd9024c240c5120505e70d4ba296cb583372b6acc5c 0
@@ -1254,9 +1254,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml e6971e36fe0367c94db0b9eb84ac711be8ef3a9e3e09503b423c30b05045f7f9 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 183c72d80d96c1d96db8f6a4ef52178a90517c66f6d85e68055d3fc391232a20 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 32cb4687cdb59bb7e0c477beac1aead7cf33547ded997cf02715433fdbeda8b3 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml c1f8f96bba7b3ca282faf83bfc9f7c3131f0ae33d380e67c3b12a6aec7ba3890 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 1ad519d74cea507a0e1590ee049e786c14947ccdaa1d06e5c8bf283b98f569a0 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml cb1cc1fe9cc415847c697e1455a7c9cdb976feee4ca31e4912dc4f56e3d97253 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml d4e2be1ad4df8af111842db53ce691dd938cfe3de575f3840e0682e6117c7f81 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 9fce33e26214ca8e40409c0f3f21e6e1b5d669d1c0c78f34cd6b982da0457670 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml b7ecbef1c183b4a85a2324e53d40992dec4e539061a151f61c04f75b1fe7ffc1 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 8c8e1b67eb16cfe9a76b0a3c7f6967c6f23c785c4160e8b31489b6ffccc6f955 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml c443bba3cef5f36e4e3e56cfce21804ec6ff8b06a6e3391f9b3dfc30846c7e8f 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2bfc1ce52e30a0926d169511dd9a45f36b686ea95d13999d1857bb51d1655f1d 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml b7db7275718f8825d5d8b654ee3e7c009b16c3017497adbaa0cf922bacc2415b 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml f0bb304140a4701355339285f72fd805dd107c6bce04e8d27b919abc3a8e882e 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 5c53796fd971d7bf461218f51ee8ff3bbb5b1a53b13d4ffc225d517268faf2ed 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 14f57cce7bea68b3192d70dcec90b8fb6049452d3e9953a686789ba3abc4a29c 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 91d9230017308a8aa3838ff90f6212932b42b7a75a661b61b629a57360a452b5 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 5081d7364254fece1d5d64c6e71be5df5cb9aef1e2b9a62cceda0b425903669b 0
@@ -1265,3 +1265,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml e7d8fb4f4dc4509d04abc0b38acd9f536730bba9003f5cb073f74a4ae2b0c57a 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 9c4e07abc8319d2dca3b510ca948689e65361133e935a9b136c8d20d5b15bf44 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 18ab278b2644958acbf974068e95ff731e9be4142dd70b2fa7a4ffee6cc93ab6 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 68c20ed2130fec8b49598a688ffd90610edc3e75dba52ac27f391bbc602e062e 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml efdbcae83b0d5e3fd0490c325f531845235017b1a83b270ce40d3f35e162995f 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 1a42ef4402516c6fd7709e75311a8447abf376f0db9fa3d1b5b315224b618a5e 0
@@ -1269 +1269 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml f3388669365ada68d0143f51c84f819eecda2ff5649e0287caaa9cde6918a072 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml f246d505fb80286704011c652cb007fc34b0a96cde8ed5e1999f99e3eb80f7e0 0
@@ -1272,3 +1272,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml f59f04e9da02173fcfc31b4fa1628a690bc054d0ce1380143842747b7e9f3b9e 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 58b0fa9ce69015d2b93c5f120c23dd20d993495d2763f9e5749db0667b2133d7 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml c3c92b24248b62ff6a8ff3fe4a19f40787397b88f426ad1814e4327649048bb5 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 26959f05300f9c6e8f77fa5d0b578f9502dcf4a7bc92faceb80f85fa4345a71c 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 14e71d537cee9d2dc46911e7a5d01d91b62f26fff5c9a45b20edcfd014222915 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml ea0d12b9354028a3b35631be6dd59837d0d373fcb1fb2069d686592bdca4aca5 0
@@ -1276 +1276 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml ad0c55c9244f34209f5d69f73def2d5e2d2c6958a6a9396d9c2c0af8f01cf25e 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml c338a56baca8843154b9c1916ddc810033fbe8a9f3c38494831ddcd87739196d 0
@@ -1279,3 +1279,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml b0d6de5f0e1a6a5f5b9562acd8d525c372f13f4ca75e2d7c89617773331421ef 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 174d5cab28c20ea5d5a9307df61c1f292c05f32dac50539e19950cc569db149b 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 5dc0b8b4d917f5d52f2937e4ba1503b0f76e7ed185470945db3f077aed445d4c 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 32bf82d3b25294a766e25784ead1299498cb8e630ae102aeb170777290e73f13 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 0fa12cf84bef1f42f7b35602e1394d323507a2462b79cfe805c16d7dc1ce374e 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 55aed828d0763ff63b0fce90962b43751da0c55f397826338ad549219c0265e5 0
@@ -1283 +1283 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml b4f4888e8247813a608061572b3d85e075756c2ca66f77428c2dc2aa54c31856 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 9240e6b6182a3028a7edd9436e412af8c261f8964df6febcf7f6fd8b17cec907 0
@@ -1286,3 +1286,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 65b035052667210c74365170b1ab7688924bb66335a6f1c814c1ed9f6b4bea5e 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 08dfed1bb7a473a7842d29990f61ae31092c4e183af4990e5d1cdc53e65d0ed9 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 4b332ce4f9845480cdb82deb41787e5555c1da10587a491cf1acb7f046922095 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 30764b7610cfa6873328fe013dd9f9320e0f8cc1bee5584470a071e92d93b6cd 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 18cf11a800231e8e82d21503d87a5f4f31ad0769a32172df00f2c68c967f4617 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml a64de123965cf9a485760bfa8fa2ee7a8efaa09063d07a1732fd9cb9e8f7c775 0
@@ -1290 +1290 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 56cc07a3b15946a95abba3536388fe777e07b254b0f96616825b205b09cca324 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml a8f7796e5fdb1bf35873ef0b51e3cd9d085cd68676e9fb3104732b8a26d1b42f 0
@@ -1293,3 +1293,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 55def41ba4bc2c5c6562d0f79341bc6e1cc385e52e3c1c2649c0c42f6968d2ab 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml e07500d78aeae9e8cad044ccc53e3b32c5cf82df18db4e9c7cc96e0f23b004ed 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 3655e97544659866a63644bfbe0138ea75b0828d9dbf734374895d932b3c82e9 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 53b551409929acb742a825ad6e7c1f4436723cc2bb64b7f7fe499b32d5447fb1 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 7f792c8a36089d0c2cd1f5ba2dbd9cbe37f2eb4223c9347d443cdacb3af0b5df 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 60d30e7bc1516687bc12b8b8f7df0df879da3531d06e1629022bbaa33706cea8 0
@@ -1297 +1297 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml f5d2d9d6810e802c3592a85d93a4640913b60796e04d89bc1d41a6deafc545cc 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml ff3fccca09a22c04ecf1cd7a42af690b8494e1e1b0aad7ede94328edc7080acb 0
@@ -1300,3 +1300,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 1c9a347a1a25c962341454f91a847dcd9f4ae597a61a9e9af2a88bdc418b5bf2 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 4d9c9ff51c7cc156f32705f6d052c3e19bd06f9ae5ae3754d00f7205655df6f7 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 0b00aefd425a179c516e0a5efd8f93b4ca0ce2793bcf1dd354863994bdd1d8c4 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 9db4cbcd8d40618ac33e398ff8938d94e1d9959ab3f50754b889906282bd24c3 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml f03ec9ae405151c80a2db187155ca120f4c4042ec108327625ad15c22dd16572 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 187c86c66f112968eebf695e34808c64c3092973851ed626a93d1545283234bb 0
@@ -1304 +1304 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 0b4b16a0f5bba7ca60f6dae598e37d880606d2a702fda1a85905e39c2502420b 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 576229da57b4845e2546f4c762c5bac790274e886f1bd986422c45ff1a0535a5 0
@@ -1307,3 +1307,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 75224f551d1ecf502d21fd20b4826499e54a6693c75260ebb70ce306fc39a048 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml f6ceeeccbe71931aed161c65d41fd973d3fcaf1669f08e3c4e4fa3ed49f3a714 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 10199f59f0cf4521bd0ef25e38a777ac8d3f937d2b7b5f4563c9c44c5d2788fe 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 9c2e3f2b8f8a97c9ca99b2c2cb8e5baa2c848cbdaf755637796061e4bbc8339b 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml c3bb7adcfa0878764542cbb16eecbada799058049e1faec054a9453a2e548cec 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 743481e029219bcb196d7d6d6c3717feaf297af8b87ccbcd9c56124366034824 0
@@ -1311 +1311 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 07476b7c3ef5e41a232300f2b3452ada16c097b039c1fd34a660aebec3a0afde 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml abbdec5a12abc4c3ad4c9b2b63685f246e7cf9626b8c6a3df0874c603fd71326 0
@@ -1314,3 +1314,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 1b32a8da4e9303ca9e2d33552b3820b9c2e0a9fc63440830a845ed2fd87251da 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 3c24e353bda588ce060afdf5d06e811433e6e0f314f182db016681c7151b5e5b 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml d75912da37028ea0c157e30af47e2a44b6090b702635a74bbe2fc58aa6324f52 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml adf1849b388e241b569fffdd2ca0d77cae7b160b8698e52f77f967498f38c7c8 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 6a394c62079caf4d14eb07b622b3102e08cca80b247af4064efedcde401f9cda 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 94be7edb6d6285054e89bf258003625f24979b796b0a9a1d85f24d6008d6834f 0
@@ -1318 +1318 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 6677923e4322eeab4dcd5965f59575b6aeb843ccf358d3fd9aa2e18833b5cbbc 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 563b1b498964a91752a3931ff8febc4cb34279b0a09005243e6b212dc29b591d 0
@@ -1321,3 +1321,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 0bdeaf847de381fdfdf4e2ea63f4531247842d25c717ab075fbf924ccaa907be 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml b45b6026a9d8c6c71f43c9d77e2eb833a970410095e23bbcbc16316e0b2cb64e 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 57c699d4e228d659d5e2b279c0c92b9def7908d27d93e927608a754477435028 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2a1ccbace4391545f370e7ed459927c8a259e88a2355798084f8f4f9090db5b9 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml ee185b26c561dbfac0990f7c8e0f5532737dd30d82e68f4c264bd9f0ee09bdc5 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 51d127636361e300712892c2e2e0c10dd6adb64c02a6c7a5e53ec7ba08ab797c 0
@@ -1325,4 +1325,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 295b7a36aa5b5da86a04e79d2edc7212862f3362a1538743ef3c09cd03e6ece6 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2c490e7b16c781ac5aa8f52f8767cae8588a47d9123669efde1862bc8a698a5d 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml d365e35224ca512b3d769caa288293de5fc0f461df686becb36ccb2a1b1dac09 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml be69cf6d46b26441e33c28a1aee37d2fcb7b6d361a3ea1f427c50514293ed0ab 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml f8dccd5e48957f19e1e47162c8b1a1a8d2341d1197fa669230105ddb4c1171fe 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml db4f8e99addc72dadfdd47063a97679b20b996091aaf21e2d9dafcc710fe4faf 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 54ff2554814d256c10baeabae39a9bc930d1bd37ecbde195b9144e9178c09da5 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml facac40d85850e2086920df39848677ec7b38bcf1978d81024550dba7970c6b9 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-07-30 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r809229_rule | | |
|
Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -491,20 +491,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,15 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -453,12 +453,12 @@
volume at installation time, or migrate it using LVM. | | Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15 | | |
|
Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -471,12 +471,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, 1.1.16, SV-204495r603261_rule | | |
|
| Group
Updating Software
Group contains 3 rules |
[ref]
@@ -510,40 +510,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). |
| Severity: | high |
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule |
|
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 171 rules | | Group
@@ -124,25 +124,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
|
Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
|
| Group
Disk Partitioning
Group contains 10 rules |
[ref]
@@ -297,12 +297,12 @@
be configured not to be mounted automatically with the noauto mount
option. |
| Rationale: | The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. |
| Severity: | medium |
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_boot |
| Identifiers and References | References:
- BP28(R12) |
|
|
Rule
Ensure /home Located On Separate Partition
[ref] | If user home directories will be stored locally, create a separate partition
@@ -312,12 +312,12 @@
mountpoint can instead be configured later. | | Rationale: | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.7.1, SV-230328r627750_rule | | |
|
Rule
Ensure /opt Located On Separate Partition
[ref] | It is recommended that the /opt directory resides on a separate
@@ -325,12 +325,12 @@
outside the packaging system. Putting this directory on a separate partition
makes it easier to apply restrictions e.g. through the nosuid mount
option. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | | Identifiers and References | References:
- BP28(R12) | | |
|
Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -341,12 +341,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | References:
- BP28(R12) | | |
|
Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -354,24 +354,24 @@
logical volume at installation time, or migrate it using LVM. | | Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1, SV-230295r627750_rule | | |
|
Rule
Ensure /usr Located On Separate Partition
[ref] | It is recommended that the /usr directory resides on a separate
partition. | | Rationale: | The /usr partition contains system software, utilities and files.
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | | Identifiers and References | References:
- BP28(R12) | | |
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,24 +287,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -419,35 +419,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-230263r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 160 rules | | Group
@@ -124,25 +124,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -297,12 +297,12 @@
be configured not to be mounted automatically with the noauto mount
option. | | Rationale: | The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_boot | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /home Located On Separate Partition
[ref] | If user home directories will be stored locally, create a separate partition
@@ -312,12 +312,12 @@
mountpoint can instead be configured later. | | Rationale: | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.7.1, SV-230328r627750_rule | | |
| Rule
Ensure /opt Located On Separate Partition
[ref] | It is recommended that the /opt directory resides on a separate
@@ -325,12 +325,12 @@
outside the packaging system. Putting this directory on a separate partition
makes it easier to apply restrictions e.g. through the nosuid mount
option. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -341,12 +341,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -354,24 +354,24 @@
logical volume at installation time, or migrate it using LVM. | | Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1, SV-230295r627750_rule | | |
| Rule
Ensure /usr Located On Separate Partition
[ref] | It is recommended that the /usr directory resides on a separate
partition. | | Rationale: | The /usr partition contains system software, utilities and files.
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /var Located On Separate Partition
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 43 rules | Group
@@ -111,22 +111,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230272r627750_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -174,22 +174,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230271r627750_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -242,19 +242,19 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,24 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 99 groups and 293 rules | | Group
@@ -123,25 +123,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,25 +441,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 88 groups and 226 rules | | Group
@@ -123,25 +123,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,25 +441,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 84 groups and 223 rules | | Group
@@ -123,25 +123,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,25 +441,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 95 groups and 290 rules | | Group
@@ -123,25 +123,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,25 +441,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | Group
@@ -145,15 +145,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -307,32 +307,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -487,20 +487,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | | Group
@@ -134,25 +134,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -247,19 +247,19 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -326,25 +326,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -398,10 +398,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, SV-230223r792855_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -430,18 +430,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | Group
@@ -147,15 +147,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -304,28 +304,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -429,32 +429,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -578,25 +578,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | Group
@@ -150,15 +150,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,32 +312,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -461,25 +461,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -533,11 +533,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -644,52 +644,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | Group
@@ -151,15 +151,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -308,28 +308,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -433,32 +433,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | | Group
@@ -125,25 +125,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -238,19 +238,19 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
|
Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -317,25 +317,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
|
Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -389,10 +389,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, SV-230223r792855_rule | | |
|
Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -421,18 +421,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | Group
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
|
Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -483,20 +483,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | | Group
@@ -121,25 +121,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -201,25 +201,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
|
Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -273,11 +273,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r809334_rule | | |
|
| Group
Disk Partitioning
Group contains 4 rules |
[ref]
@@ -326,12 +326,12 @@
logical volume at installation time, or migrate it using LVM. |
| Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
| Severity: | low |
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp |
| Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.2.1, SV-230295r627750_rule |
|
|
Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -341,12 +341,12 @@
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, 1.1.3.1, SV-230292r627750_rule | | |
|
Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -355,12 +355,12 @@
volume at installation time, or migrate it using LVM. | | Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.5.1, SV-230293r627750_rule | | |
|
Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -373,12 +373,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, 1.1.6.1, SV-230294r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | Group
@@ -143,15 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -305,32 +305,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -479,25 +479,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
|
Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -551,10 +551,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, SV-230223r792855_rule | | |
|
Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -583,18 +583,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 106 groups and 386 rules | | Group
@@ -129,25 +129,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,78 +189,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 383 rules | | Group
@@ -135,25 +135,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,78 +195,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 60 groups and 160 rules | | Group
@@ -124,25 +124,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -297,12 +297,12 @@
mountpoint can instead be configured later. | | Rationale: | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -313,12 +313,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -326,12 +326,12 @@
logical volume at installation time, or migrate it using LVM. | | Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -341,12 +341,12 @@
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -355,12 +355,12 @@
volume at installation time, or migrate it using LVM. | | Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -373,12 +373,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -565,12 +565,12 @@
mountpoint can instead be configured later. | | Rationale: | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -581,12 +581,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -594,12 +594,12 @@
logical volume at installation time, or migrate it using LVM. | | Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 56 groups and 149 rules | | Group
@@ -124,25 +124,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -297,12 +297,12 @@
mountpoint can instead be configured later. | | Rationale: | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -313,12 +313,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -326,12 +326,12 @@
logical volume at installation time, or migrate it using LVM. | | Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -341,12 +341,12 @@
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -355,12 +355,12 @@
volume at installation time, or migrate it using LVM. | | Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -373,12 +373,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| | Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -236,19 +236,19 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -355,40 +355,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | dnf should be configured to verify the signature(s) of local packages
-prior to installation. To configure dnf to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-07-30 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 98 groups and 283 rules | | Group
@@ -120,25 +120,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,25 +437,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 87 groups and 216 rules | | Group
@@ -120,25 +120,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,25 +437,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 83 groups and 213 rules | | Group
@@ -120,25 +120,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,25 +437,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 94 groups and 280 rules | | Group
@@ -120,25 +120,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,25 +437,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 133 rules | | Group
@@ -185,19 +185,19 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -239,25 +239,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -310,34 +310,7 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -415,11 +415,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -472,12 +472,12 @@
and other files, and helps ensure that
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2022-07-30 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 47 groups and 97 rules | | Group
@@ -174,28 +174,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -299,32 +299,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -448,25 +448,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -518,11 +518,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | | Group
@@ -182,32 +182,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -331,25 +331,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,11 +401,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -511,52 +511,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 70 groups and 147 rules | | Group
@@ -178,28 +178,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -531,25 +531,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 133 rules | | Group
@@ -175,19 +175,19 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -229,25 +229,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -300,34 +300,7 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -405,11 +405,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -462,12 +462,12 @@
and other files, and helps ensure that
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2022-07-30 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | | Group
@@ -173,32 +173,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -352,20 +352,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -455,24 +455,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 105 groups and 358 rules | | Group
@@ -130,25 +130,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,7 +189,76 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 103 groups and 357 rules | | Group
@@ -136,25 +136,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,7 +195,76 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:35
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- Network Time Protocol
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 62 groups and 207 rules | Group
@@ -139,15 +139,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -306,33 +306,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -483,25 +483,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -553,10 +553,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -584,18 +584,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:35
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 47 groups and 121 rules | Group
@@ -132,15 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -294,32 +294,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -473,20 +473,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:35
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 39 groups and 76 rules | Group
@@ -133,15 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -295,32 +295,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -431,20 +431,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -578,25 +578,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 160 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,25 +400,19 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,27 +444,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 174 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -278,24 +278,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r603260_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -415,35 +415,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020040, SV-221709r603260_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 57 groups and 150 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,25 +400,19 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,27 +444,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 27 groups and 37 rules | Group
@@ -102,22 +102,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r603260_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r603260_rule | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -246,39 +246,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020060, SV-221711r603260_rule | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-07-30 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 47 groups and 102 rules | Group
@@ -136,15 +136,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -486,20 +486,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -143,17 +143,7 @@
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -214,72 +214,7 @@
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -674,39 +674,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 46 groups and 93 rules | Group
@@ -138,15 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -300,28 +300,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -428,32 +428,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -558,22 +558,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-07-30 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 54 groups and 142 rules | Group
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -508,52 +508,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
- Require Encryption for Remote Access in GNOME3
- [ref] | By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
- require-encryption to true in
- /etc/dconf/db/local.d/00-security-settings. For example:
- [org/gnome/Vino]
-require-encryption=true
-
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/Vino/require-encryption
-After the settings have been set, run dconf update. | | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
-remotely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | | Identifiers and References | References:
- 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 104 groups and 382 rules | Group
@@ -158,15 +158,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -325,32 +325,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -508,20 +508,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -134,17 +134,7 @@
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -205,72 +205,7 @@
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -665,39 +665,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 48 groups and 99 rules | Group
@@ -132,15 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -299,32 +299,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -482,20 +482,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 10 groups and 9 rules | | Group
@@ -94,19 +94,19 @@
$ sudo yum install glibc | | Rationale: | The glibc package contains standard C and math libraries used by
multiple programs on Linux. The glibc shipped with first release
of each major Linux version is often not sufficient for SAP.
-An update is required after the first OS installation. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | |
| Rule
Package uuidd Installed
[ref] | The package uuidd is not installed on normal Linux distribution
@@ -134,19 +134,19 @@
$ sudo yum install uuidd | | Rationale: | The uuidd package contains a userspace daemon (uuidd) which is
used to generate unique identifiers even at very high rates on
-SMP systems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | |
| Rule
Only sidadm and orasid/oracle User Accounts Exist on Operating System
[ref] | SAP tends to use the server or virtual machine exclusively. There should be only
@@ -318,12 +318,7 @@
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow | | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| | Group
Services
Group contains 3 groups and 5 rules | [ref]
@@ -411,7 +411,18 @@
}
Remediation Anaconda snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
package --remove=ypbind
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypbind is removed
+ package:
+ name: ypbind
+ state: absent
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - package_ypbind_removed
+ - unknown_severity
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove ypbind
# from the system, and may remove any packages
# that depend on ypbind. Execute this
@@ -423,17 +434,6 @@
yum remove -y "ypbind"
fi
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypbind is removed
- package:
- name: ypbind
- state: absent
- tags:
- - disable_strategy
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - package_ypbind_removed
- - unknown_severity
|
| Rule
Uninstall ypserv Package
[ref] | The ypserv package can be removed with the following command:
@@ -453,19 +453,7 @@
}
Remediation Anaconda snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
package --remove=ypserv
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
-# CAUTION: This remediation script will remove ypserv
-# from the system, and may remove any packages
-# that depend on ypserv. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-if rpm -q --quiet "ypserv" ; then
-
- yum remove -y "ypserv"
-
-fi
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypserv is removed
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypserv is removed
package:
name: ypserv
state: absent
@@ -481,6 +469,18 @@
- low_disruption
- no_reboot_needed
- package_ypserv_removed
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
+# CAUTION: This remediation script will remove ypserv
+# from the system, and may remove any packages
+# that depend on ypserv. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+if rpm -q --quiet "ypserv" ; then
+
+ yum remove -y "ypserv"
+
+fi
|
| | Group
Rlogin, Rsh, and Rexec
Group contains 3 rules | [ref]
@@ -498,7 +498,10 @@
means that data from the login session, including passwords and
all other information transmitted during the session, can be
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-07-30 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 28 groups and 72 rules | Group
@@ -134,15 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -301,32 +301,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -493,39 +493,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | | |
| Rule
Ensure Oracle Linux GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software
@@ -652,10 +652,7 @@
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, OL07-00-020260, SV-221720r603260_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 102 groups and 270 rules | Group
@@ -133,15 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -295,28 +295,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -423,32 +423,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 100 groups and 269 rules | Group
@@ -139,15 +139,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -301,28 +301,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -429,32 +429,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 168 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,25 +400,19 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,27 +444,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 182 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -278,24 +278,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -410,35 +410,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r779285_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 57 groups and 158 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,25 +400,19 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,27 +444,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 27 groups and 42 rules | Group
@@ -102,22 +102,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010381, SV-248582r779312_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r779309_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r779309_rule | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -231,19 +231,19 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -268,7 +268,24 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 49 groups and 105 rules | Group
@@ -136,15 +136,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -298,32 +298,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -478,20 +478,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -125,25 +125,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,19 +200,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,33 +288,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,19 +425,19 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 48 groups and 95 rules | Group
@@ -138,15 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -295,28 +295,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -420,32 +420,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -569,25 +569,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 54 groups and 140 rules | Group
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -452,25 +452,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -524,11 +524,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r818614_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -635,52 +635,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -116,25 +116,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -191,19 +191,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
|
Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -279,33 +279,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
|
| Group
System Cryptographic Policies
Group contains 8 rules |
[ref]
@@ -416,19 +416,19 @@
$ sudo yum install crypto-policies |
| Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Severity: | medium |
| Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed |
| Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 |
|
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 50 groups and 125 rules | Group
@@ -132,15 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
|
Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -294,32 +294,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
|
| Group
Verify Integrity with AIDE
Group contains 3 rules |
|
The aide package can be installed with the following command:
$ sudo yum install aide |
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. |
| Severity: | medium |
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed |
| Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule |
|
|
Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -474,20 +474,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 29 groups and 78 rules | Group
@@ -134,15 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -296,32 +296,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -470,25 +470,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | |
|
Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -542,10 +542,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r818787_rule | | |
|
Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -574,18 +574,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r818787_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 106 groups and 395 rules | | Group
@@ -110,25 +110,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,7 +170,80 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r779996_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 104 groups and 393 rules | | Group
@@ -116,25 +116,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,7 +176,80 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r779996_rule | | Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 61 groups and 185 rules | | Group
@@ -115,25 +115,19 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -189,19 +189,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -322,19 +322,19 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,25 +401,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -471,10 +471,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 2022-07-30 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 29 groups and 78 rules | Group
@@ -134,15 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -296,32 +296,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -470,25 +470,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -540,10 +540,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -571,18 +571,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 90 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 94 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 40 groups and 82 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- Services
- Mail Server Software
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 10 groups and 7 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- File Permissions and Masks
- SELinux
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 23 groups and 51 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-07-30 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 242 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-07-30 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-07-30 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-07-30 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Base Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 234 rules | Group
@@ -120,25 +120,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -183,24 +183,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -317,22 +317,7 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-27078-5 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.5.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -403,12 +403,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-80144-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -417,12 +417,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -433,12 +433,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-82014-2 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 165 rules | Group
@@ -116,25 +116,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -296,12 +296,12 @@
option. | | Rationale: | The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_boot | | Identifiers and References | Identifiers:
CCE-83333-5 References:
- BP28(R12) | | |
| Rule
Ensure /home Located On Separate Partition
[ref] | If user home directories will be stored locally, create a separate partition
@@ -312,12 +312,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-80144-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | | |
| Rule
Ensure /opt Located On Separate Partition
[ref] | It is recommended that the /opt directory resides on a separate
@@ -326,12 +326,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | | Identifiers and References | Identifiers:
CCE-83339-2 References:
- BP28(R12) | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -343,12 +343,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-83376-4 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -357,12 +357,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| Rule
Ensure /usr Located On Separate Partition
[ref] | It is recommended that the /usr directory resides on a separate
@@ -370,12 +370,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | | Identifiers and References | Identifiers:
CCE-83342-6 References:
- BP28(R12) | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -429,35 +429,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-80374-2 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020040, SV-204446r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 57 groups and 155 rules | Group
@@ -116,25 +116,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -296,12 +296,12 @@
option. | | Rationale: | The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_boot | | Identifiers and References | Identifiers:
CCE-83333-5 References:
- BP28(R12) | | |
| Rule
Ensure /home Located On Separate Partition
[ref] | If user home directories will be stored locally, create a separate partition
@@ -312,12 +312,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-80144-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | | |
| Rule
Ensure /opt Located On Separate Partition
[ref] | It is recommended that the /opt directory resides on a separate
@@ -326,12 +326,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | | Identifiers and References | Identifiers:
CCE-83339-2 References:
- BP28(R12) | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -343,12 +343,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-83376-4 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -357,12 +357,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| Rule
Ensure /usr Located On Separate Partition
[ref] | It is recommended that the /usr directory resides on a separate
@@ -370,12 +370,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | | Identifiers and References | Identifiers:
CCE-83342-6 References:
- BP28(R12) | | |
| | Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
- CCE-80351-0 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r603261_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
+ CCE-80351-0 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r603261_rule | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -253,40 +253,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | Identifiers:
- CCE-80347-8 References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020060, SV-204448r603261_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 106 groups and 290 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -443,12 +443,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-80144-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -457,12 +457,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -473,12 +473,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-82014-2 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 95 groups and 227 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -441,12 +441,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| | Group
GNOME Desktop Environment
Group contains 1 group and 3 rules | [ref]
@@ -489,52 +489,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 89 groups and 222 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -441,12 +441,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| | Group
GNOME Desktop Environment
Group contains 1 group and 3 rules | [ref]
@@ -489,52 +489,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 104 groups and 288 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -443,12 +443,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-80144-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -457,12 +457,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -473,12 +473,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-82014-2 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | | Group
@@ -137,15 +137,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -437,25 +437,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,20 +499,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -144,17 +144,7 @@
CCE-80358-5 References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -217,72 +217,7 @@
CCE-80359-3References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -693,40 +693,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | | Group
@@ -139,15 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -307,28 +307,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -439,32 +439,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -573,22 +573,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r603261_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2022-07-30 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | | Group
@@ -142,15 +142,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -315,32 +315,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -520,52 +520,7 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-80120-9 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
- Require Encryption for Remote Access in GNOME3
- [ref] | By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
- require-encryption to true in
- /etc/dconf/db/local.d/00-security-settings. For example:
- [org/gnome/Vino]
-require-encryption=true
-
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/Vino/require-encryption
-After the settings have been set, run dconf update. | | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
-remotely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | | Identifiers and References | Identifiers:
- CCE-80121-7 References:
- 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | | Group
@@ -160,15 +160,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -333,32 +333,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -460,25 +460,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -522,20 +522,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -135,17 +135,7 @@
CCE-80358-5 References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -208,72 +208,7 @@
CCE-80359-3References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -684,40 +684,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | | Group
@@ -133,15 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -306,32 +306,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -433,25 +433,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,20 +495,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | | Group
@@ -135,15 +135,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -303,28 +303,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -435,32 +435,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -562,25 +562,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | | Group
@@ -158,15 +158,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,28 +326,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -458,32 +458,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -624,72 +624,7 @@
CCE-80359-3References:
12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | Group
@@ -113,25 +113,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -185,12 +185,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-82053-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -201,12 +201,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-82014-2 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | | |
| Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -216,12 +216,12 @@
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | Identifiers:
CCE-82034-0 References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -235,12 +235,12 @@
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | Identifiers:
CCE-82035-7 References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021330, 1.1.16, SV-204495r603261_rule | | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -275,40 +275,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | | Group
@@ -135,15 +135,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -455,12 +455,12 @@
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | Identifiers:
CCE-82034-0 References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -474,12 +474,12 @@
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | Identifiers:
CCE-82035-7 References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021330, 1.1.16, SV-204495r603261_rule | | |
| | Group
Updating Software
Group contains 3 rules | [ref]
@@ -514,40 +514,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 102 groups and 263 rules | | Group
@@ -144,15 +144,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -312,28 +312,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -444,32 +444,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | [ref]
@@ -571,25 +571,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 262 rules | | Group
@@ -150,15 +150,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -318,28 +318,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -450,32 +450,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | [ref]
@@ -577,25 +577,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 171 rules | Group
@@ -116,25 +116,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -296,12 +296,12 @@
option. | | Rationale: | The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_boot | | Identifiers and References | Identifiers:
CCE-83336-8 References:
- BP28(R12) | | |
| Rule
Ensure /home Located On Separate Partition
[ref] | If user home directories will be stored locally, create a separate partition
@@ -312,12 +312,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-81044-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r627750_rule | | |
| Rule
Ensure /opt Located On Separate Partition
[ref] | It is recommended that the /opt directory resides on a separate
@@ -326,12 +326,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | | Identifiers and References | Identifiers:
CCE-83340-0 References:
- BP28(R12) | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -343,12 +343,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-83387-1 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -357,12 +357,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-80851-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule | | |
| Rule
Ensure /usr Located On Separate Partition
[ref] | It is recommended that the /usr directory resides on a separate
@@ -370,12 +370,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | | Identifiers and References | Identifiers:
CCE-83343-4 References:
- BP28(R12) | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,24 +286,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -424,35 +424,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-82891-3 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 160 rules | Group
@@ -116,25 +116,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -296,12 +296,12 @@
option. | | Rationale: | The /boot partition contains the kernel and bootloader files.
Access to this partition should be restricted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_boot | | Identifiers and References | Identifiers:
CCE-83336-8 References:
- BP28(R12) | | |
| Rule
Ensure /home Located On Separate Partition
[ref] | If user home directories will be stored locally, create a separate partition
@@ -312,12 +312,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-81044-0 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r627750_rule | | |
| Rule
Ensure /opt Located On Separate Partition
[ref] | It is recommended that the /opt directory resides on a separate
@@ -326,12 +326,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | | Identifiers and References | Identifiers:
CCE-83340-0 References:
- BP28(R12) | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -343,12 +343,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-83387-1 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -357,12 +357,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-80851-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule | | |
| Rule
Ensure /usr Located On Separate Partition
[ref] | It is recommended that the /usr directory resides on a separate
@@ -370,12 +370,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | | Identifiers and References | Identifiers:
CCE-83343-4 References:
- BP28(R12) | | |
| Rule
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2022-07-30 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 43 rules | | Group
@@ -103,22 +103,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-82202-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010381, SV-230272r627750_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -169,22 +169,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-82197-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010380, SV-230271r627750_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -240,19 +240,19 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-82985-3 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-82494-6 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
+ CCE-82267-6 References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 99 groups and 293 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,25 +446,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 88 groups and 226 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,25 +446,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 84 groups and 223 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,25 +446,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 95 groups and 290 rules | Group
@@ -115,25 +115,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,25 +446,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | | Group
@@ -137,15 +137,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -305,32 +305,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -429,25 +429,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -491,20 +491,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -126,25 +126,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -203,19 +203,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -295,33 +295,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -437,19 +437,19 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | | Group
@@ -139,15 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -302,28 +302,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -431,32 +431,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -584,25 +584,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | | Group
@@ -142,15 +142,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -463,25 +463,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -538,11 +538,7 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -652,52 +652,7 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-80772-7 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | | Group
@@ -143,15 +143,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -306,28 +306,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -435,32 +435,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -559,25 +559,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -117,25 +117,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -194,19 +194,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -286,33 +286,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -428,19 +428,19 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | | Group
@@ -133,15 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -301,32 +301,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -425,25 +425,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -487,20 +487,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | Group
@@ -113,25 +113,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -195,25 +195,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -270,11 +270,7 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -325,12 +325,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-80851-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -341,12 +341,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-80852-7 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.3.1, SV-230292r627750_rule | | |
| Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -356,12 +356,12 @@
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | Identifiers:
CCE-80853-5 References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r627750_rule | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -375,12 +375,12 @@
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | Identifiers:
CCE-80854-3 References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | | Group
@@ -135,15 +135,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -482,25 +482,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -557,10 +557,7 @@
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | Identifiers:
CCE-80936-8 References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -591,18 +591,7 @@
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | Identifiers:
CCE-80937-6 References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 106 groups and 386 rules | Group
@@ -121,25 +121,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,78 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 383 rules | Group
@@ -127,25 +127,19 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,78 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 60 groups and 160 rules | Group
@@ -116,25 +116,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -296,12 +296,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-83468-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -313,12 +313,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-90846-7 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -327,12 +327,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-90845-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -343,12 +343,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-83466-3 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -358,12 +358,12 @@
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | Identifiers:
CCE-90848-3 References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -377,12 +377,12 @@
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | Identifiers:
CCE-90847-5 References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,24 +285,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -573,12 +573,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-83468-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -590,12 +590,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-90846-7 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -604,12 +604,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-90845-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 56 groups and 149 rules | Group
@@ -116,25 +116,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -296,12 +296,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | | Identifiers and References | Identifiers:
CCE-83468-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /srv Located On Separate Partition
[ref] | If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -313,12 +313,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | | Identifiers and References | Identifiers:
CCE-90846-7 References:
- BP28(R12) | | |
| Rule
Ensure /tmp Located On Separate Partition
[ref] | The /tmp directory is a world-writable directory used
@@ -327,12 +327,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | | Identifiers and References | Identifiers:
CCE-90845-9 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var Located On Separate Partition
[ref] | The /var directory is used by daemons and other system
@@ -343,12 +343,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | | Identifiers and References | Identifiers:
CCE-83466-3 References:
- BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| Rule
Ensure /var/log Located On Separate Partition
[ref] | System logs are stored in the /var/log directory.
@@ -358,12 +358,12 @@
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | Identifiers:
CCE-90848-3 References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -377,12 +377,12 @@
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | Identifiers:
CCE-90847-5 References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | | |
| | Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
- CCE-83536-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
+ CCE-83536-3 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -234,19 +234,19 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-83454-9 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -357,40 +357,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-83457-2 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | dnf should be configured to verify the signature(s) of local packages
-prior to installation. To configure dnf to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-07-30 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 98 groups and 283 rules | Group
@@ -112,25 +112,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,20 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,24 +281,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,25 +442,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 87 groups and 216 rules | Group
@@ -112,25 +112,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,20 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,24 +281,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,25 +442,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 83 groups and 213 rules | Group
@@ -112,25 +112,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,20 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,24 +281,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,25 +442,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 94 groups and 280 rules | Group
@@ -112,25 +112,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,20 +173,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,24 +281,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,25 +442,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 133 rules | | Group
@@ -139,19 +139,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -277,19 +277,19 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -333,25 +333,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -407,34 +407,7 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 47 groups and 97 rules | | Group
@@ -167,28 +167,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -296,32 +296,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -449,25 +449,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -522,11 +522,7 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-83445-7 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | | Group
@@ -175,32 +175,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -328,25 +328,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,11 +401,7 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-83445-7 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -514,52 +514,7 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-87524-5 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 70 groups and 147 rules | | Group
@@ -171,28 +171,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -300,32 +300,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -424,25 +424,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -561,25 +561,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 133 rules | | Group
@@ -129,19 +129,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -267,19 +267,19 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -323,25 +323,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -397,34 +397,7 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | | Group
@@ -166,32 +166,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -290,25 +290,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -351,20 +351,7 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -459,24 +459,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 105 groups and 358 rules | Group
@@ -122,25 +122,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,78 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 103 groups and 357 rules | Group
@@ -128,25 +128,19 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,78 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 45 groups and 116 rules | Group
@@ -132,15 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -294,32 +294,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -473,20 +473,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 101 groups and 375 rules | Group
@@ -133,15 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -290,28 +290,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -415,32 +415,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 49 groups and 144 rules | Group
@@ -157,15 +157,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -314,28 +314,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -439,32 +439,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -668,25 +668,7 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r809229_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -491,20 +491,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,15 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | Remediation Shell script ⇲| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
| Complexity: | high |
|---|
| Disruption: | medium |
|---|
| Strategy: | restrict |
|---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule
| |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -453,12 +453,12 @@
volume at installation time, or migrate it using LVM. | | Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | | Identifiers and References | References:
- BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15 | | |
| Rule
Ensure /var/log/audit Located On Separate Partition
[ref] | Audit logs are stored in the /var/log/audit directory.
@@ -471,12 +471,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | | Identifiers and References | References:
- BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, 1.1.16, SV-204495r603261_rule | | |
| | Group
Updating Software
Group contains 3 rules | [ref]
@@ -510,40 +510,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule | | Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | medium |
|---|
| Strategy: | configure |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -596,6 +563,39 @@
- low_complexity
- medium_disruption
- no_reboot_needed
+
# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,26 +43,19 @@
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall ypserv Package |
-The telnet-server package can be removed with the following command:
+The ypserv package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase ypserv
|
-It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
+The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
@@ -80,50 +73,18 @@
| BP28(R1) |
- Uninstall talk-server Package |
-
-The talk-server package can be removed with the following command: $ sudo yum erase talk-server
- |
-
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
- |
-
-
- | BP28(R1) |
- Uninstall rsh Package |
-
-
-The rsh package contains the client commands
-
-for the rsh services
- |
-
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
- |
-
-
- | BP28(R1) |
- Uninstall Sendmail Package |
+ Uninstall tftp-server Package |
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
@@ -144,35 +105,16 @@
| BP28(R1) |
- Uninstall tftp-server Package |
-
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
- |
-
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
- |
-
-
- | BP28(R1) |
- Uninstall ypserv Package |
+ Remove telnet Clients |
-The ypserv package can be removed with the following command:
-
-$ sudo yum erase ypserv
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the ypserv package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 7.
|
@@ -189,50 +131,79 @@
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
-The rsh-server package can be removed with the following command:
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
+ |
+
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
+ |
+
+
+ | BP28(R1) |
+ Uninstall telnet-server Package |
+
+The telnet-server package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase telnet-server
|
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+
+Removing the telnet-server package decreases the risk of the
+telnet service's accidental (or intentional) activation.
|
| BP28(R1) |
- Remove telnet Clients |
+ Uninstall rsh Package |
-The telnet client allows users to start connections to other systems via
-the telnet protocol.
+
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -42,59 +42,55 @@
| Rationale |
- 3.1.1
3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
-To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Oracle Linux 7's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
-Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -121,27 +117,19 @@
|
3.1.1
3.1.5 |
- Disable SSH Access via Empty Passwords |
+ Restrict Virtual Console Root Logins |
-Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
|
-Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
|
@@ -165,34 +153,23 @@
3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Disable SSH Root Login |
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -217,71 +194,110 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
+ 3.1.1 |
+ Disable GDM Guest Login |
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
+The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,57 +43,22 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
-
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- |
-
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
The changing of file permissions could indicate that a user is attempting to
@@ -104,18 +69,18 @@
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
|
Misuse of privileged functions, either intentionally or unintentionally by
@@ -132,87 +97,142 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Mandatory Access Controls |
+ Record Unsuccessful Delete Attempts to Files - unlinkat |
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--w /etc/selinux/ -p wa -k MAC-policy
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--w /etc/selinux/ -p wa -k MAC-policy
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
-The system's mandatory access policy (SELinux) should not be
-arbitrarily changed by anything other than administrator action. All changes to
-MAC policy should be audited.
+Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Ensure auditd Collects File Deletion Events by User - renameat |
+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly |
-At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+The audit system should collect detailed unauthorized file
+accesses for all users and root.
+To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
+of files via open syscall the audit rules collecting these events need to be in certain order.
+The more specific rules need to come before the less specific rules. The reason for that is that more
+specific rules cover a subset of events covered in the less specific rules, thus, they need to come
+before to not be overshadowed by less specific rules, which match a bigger set of events.
+Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), check the order of
+rules below in a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, check the order of rules below in
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
|
-Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+The more specific rules cover a subset of events covered by the less specific rules.
+By ordering them from more specific to less specific, it is assured that the less specific
+rule will not catch events better recorded by the more specific rule.
|
- IA-2
CM-6(a) |
- Direct root Logins Not Allowed |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - fchown |
-To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Oracle Linux 7's
-/etc/securetty file only allows the root user to login at the console
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,20 +43,6 @@
|
AGD_PRE.1
AGD_OPE.1 |
- Install openscap-scanner Package |
-
-The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
-openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
- AGD_PRE.1
AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -76,48 +62,49 @@
|
- | FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ AGD_PRE.1
AGD_OPE.1 |
+ Install openscap-scanner Package |
-The audit package should be installed.
+The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
|
-The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
|
| FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable auditd Service |
-To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
-If option freq isn't set to 50, the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Ensure the audit Subsystem is Installed |
-To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+The audit package should be installed.
|
-Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
@@ -135,24 +122,16 @@
| FAU_GEN.1 |
- Enable auditd Service |
+ Set number of records to cause an explicit flush to audit logs |
-The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
|
-Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+If option freq isn't set to 50, the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
@@ -177,58 +156,44 @@
- | FAU_GEN.1.1.c |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
+ FAU_GEN.1 |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
| FAU_GEN.1.1.c |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -87,6 +87,23 @@
|
| Req-6.2 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | Req-6.2 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -115,23 +132,6 @@
|
| Req-6.2 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- | Req-6.2 |
Ensure Software Patches Installed |
@@ -171,18 +171,17 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
|
@@ -202,17 +201,18 @@
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg Group Ownership |
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
|
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -289,55 +289,71 @@
| Req-8.1.8 |
- Set GNOME3 Screensaver Inactivity Timeout |
+ Set SSH Client Alive Count Max |
-The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
-and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
-
-For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/local.d/00-security-settings:
-[org/gnome/desktop/session]
-idle-delay=uint32 900
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
-A session time-out lock is a temporary action taken when a user stops work and moves away from
-the immediate physical vicinity of the information system but does not logout because of the
-temporary nature of the absence. Rather than relying on the user to manually lock their operating
-system session prior to vacating the vicinity, GNOME3 can be configured to identify when
-a user's session has idled and take action to initiate a session lock.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
+ Implement Blank Screensaver |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings.
+
+
+
+To set the screensaver mode in the GNOME3 desktop to a blank screen,
+add or set picture-uri to string '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+picture-uri=string ''
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
-/org/gnome/desktop/screensaver/idle-activation-enabled
+/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Setting the screensaver mode to blank-only conceals the
+contents of the display from passersby.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max to zero |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,26 +43,19 @@
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall ypserv Package |
-The telnet-server package can be removed with the following command:
+The ypserv package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase ypserv
|
-It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
+The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
@@ -80,50 +73,18 @@
| BP28(R1) |
- Uninstall talk-server Package |
-
-The talk-server package can be removed with the following command: $ sudo yum erase talk-server
- |
-
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
- |
-
-
- | BP28(R1) |
- Uninstall rsh Package |
-
-
-The rsh package contains the client commands
-
-for the rsh services
- |
-
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
- |
-
-
- | BP28(R1) |
- Uninstall Sendmail Package |
+ Uninstall tftp-server Package |
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
@@ -144,35 +105,16 @@
| BP28(R1) |
- Uninstall tftp-server Package |
-
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
- |
-
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
- |
-
-
- | BP28(R1) |
- Uninstall ypserv Package |
+ Remove telnet Clients |
-The ypserv package can be removed with the following command:
-
-$ sudo yum erase ypserv
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the ypserv package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 8.
|
@@ -189,50 +131,79 @@
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
-The rsh-server package can be removed with the following command:
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
+ |
+
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
+ |
+
+
+ | BP28(R1) |
+ Uninstall telnet-server Package |
+
+The telnet-server package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase telnet-server
|
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+
+Removing the telnet-server package decreases the risk of the
+telnet service's accidental (or intentional) activation.
|
| BP28(R1) |
- Remove telnet Clients |
+ Uninstall rsh Package |
-The telnet client allows users to start connections to other systems via
-the telnet protocol.
+
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -42,59 +42,55 @@
| Rationale |
- 3.1.1
3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
-To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Oracle Linux 8's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
-Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -121,27 +117,19 @@
|
3.1.1
3.1.5 |
- Disable SSH Access via Empty Passwords |
+ Restrict Virtual Console Root Logins |
-Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
|
-Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
|
@@ -165,34 +153,23 @@
3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Disable SSH Root Login |
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -217,71 +194,110 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
+ 3.1.1 |
+ Disable GDM Guest Login |
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
+The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,78 +43,26 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
-
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- |
-
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- | AU-2(a) |
- Configure auditing of loading and unloading of kernel modules |
-
-Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-Load new Audit rules into kernel by running:
-augenrules --load
- |
-
-Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
|
The changing of file permissions could indicate that a user is attempting to
@@ -125,18 +73,18 @@
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
Misuse of privileged functions, either intentionally or unintentionally by
@@ -153,109 +101,142 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Mandatory Access Controls |
+ Record Unsuccessful Delete Attempts to Files - unlinkat |
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--w /etc/selinux/ -p wa -k MAC-policy
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--w /etc/selinux/ -p wa -k MAC-policy
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
-The system's mandatory access policy (SELinux) should not be
-arbitrarily changed by anything other than administrator action. All changes to
-MAC policy should be audited.
+Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Ensure auditd Collects File Deletion Events by User - renameat |
+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly |
-At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+The audit system should collect detailed unauthorized file
+accesses for all users and root.
+To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
+of files via open syscall the audit rules collecting these events need to be in certain order.
+The more specific rules need to come before the less specific rules. The reason for that is that more
+specific rules cover a subset of events covered in the less specific rules, thus, they need to come
+before to not be overshadowed by less specific rules, which match a bigger set of events.
+Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), check the order of
+rules below in a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, check the order of rules below in
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -87,6 +87,23 @@
|
| Req-6.2 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | Req-6.2 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -115,23 +132,6 @@
|
| Req-6.2 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- | Req-6.2 |
Ensure Software Patches Installed |
@@ -171,18 +171,17 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
|
@@ -202,17 +201,18 @@
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg Group Ownership |
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
|
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -289,55 +289,71 @@
| Req-8.1.8 |
- Set GNOME3 Screensaver Inactivity Timeout |
+ Set SSH Client Alive Count Max |
-The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
-and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
-
-For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/local.d/00-security-settings:
-[org/gnome/desktop/session]
-idle-delay=uint32 900
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
-A session time-out lock is a temporary action taken when a user stops work and moves away from
-the immediate physical vicinity of the information system but does not logout because of the
-temporary nature of the absence. Rather than relying on the user to manually lock their operating
-system session prior to vacating the vicinity, GNOME3 can be configured to identify when
-a user's session has idled and take action to initiate a session lock.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
+ Implement Blank Screensaver |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings.
+
+
+
+To set the screensaver mode in the GNOME3 desktop to a blank screen,
+add or set picture-uri to string '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+picture-uri=string ''
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
-/org/gnome/desktop/screensaver/idle-activation-enabled
+/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Setting the screensaver mode to blank-only conceals the
+contents of the display from passersby.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max to zero |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,78 +43,22 @@
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
-
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- |
-
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- | AU-2(a) |
- Configure auditing of loading and unloading of kernel modules |
-
-Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-Load new Audit rules into kernel by running:
-augenrules --load
- |
-
-Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
The changing of file permissions could indicate that a user is attempting to
@@ -125,18 +69,18 @@
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
|
Misuse of privileged functions, either intentionally or unintentionally by
@@ -153,109 +97,142 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Mandatory Access Controls |
+ Record Unsuccessful Delete Attempts to Files - unlinkat |
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--w /etc/selinux/ -p wa -k MAC-policy
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--w /etc/selinux/ -p wa -k MAC-policy
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
-The system's mandatory access policy (SELinux) should not be
-arbitrarily changed by anything other than administrator action. All changes to
-MAC policy should be audited.
+Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Ensure auditd Collects File Deletion Events by User - renameat |
+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly |
-At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+The audit system should collect detailed unauthorized file
+accesses for all users and root.
+To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
+of files via open syscall the audit rules collecting these events need to be in certain order.
+The more specific rules need to come before the less specific rules. The reason for that is that more
+specific rules cover a subset of events covered in the less specific rules, thus, they need to come
+before to not be overshadowed by less specific rules, which match a bigger set of events.
+Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), check the order of
+rules below in a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, check the order of rules below in
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
|
-Auditing file deletions will create an audit trail for files that are removed
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,26 +43,19 @@
|
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall ypserv Package |
-The telnet-server package can be removed with the following command:
+The ypserv package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase ypserv
|
-It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
+The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
@@ -80,65 +73,18 @@
| BP28(R1) |
- Remove tftp Daemon |
-
-Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
- |
-
-It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
- |
-
-
- | BP28(R1) |
- Uninstall talk-server Package |
-
-The talk-server package can be removed with the following command: $ sudo yum erase talk-server
- |
-
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
- |
-
-
- | BP28(R1) |
- Uninstall rsh Package |
-
-
-The rsh package contains the client commands
-
-for the rsh services
- |
-
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
- |
-
-
- | BP28(R1) |
- Uninstall Sendmail Package |
+ Uninstall tftp-server Package |
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
@@ -159,35 +105,31 @@
| BP28(R1) |
- Uninstall tftp-server Package |
+ Remove telnet Clients |
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.
|
| BP28(R1) |
- Uninstall ypserv Package |
+ Remove tftp Daemon |
-The ypserv package can be removed with the following command:
-
-$ sudo yum erase ypserv
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
|
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the ypserv package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
|
@@ -204,50 +146,79 @@
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
-The rsh-server package can be removed with the following command:
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
+ |
+
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
+ |
+
+
+ | BP28(R1) |
+ Uninstall telnet-server Package |
+
+The telnet-server package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase telnet-server
|
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -68,26 +68,6 @@
|
| 1.1.1.2 |
- Disable Mounting of freevxfs |
-
-
-To configure the system to prevent the freevxfs
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
-install freevxfs /bin/true
-
-To configure the system to prevent the freevxfs from being used,
-add the following line to file /etc/modprobe.d/freevxfs.conf:
-blacklist freevxfs
-
-This effectively prevents usage of this uncommon filesystem.
- |
-
-Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.
- |
-
-
- | 1.1.1.2 |
Disable Mounting of squashfs |
@@ -112,17 +92,17 @@
|
- | 1.1.1.3 |
- Disable Mounting of jffs2 |
+ 1.1.1.2 |
+ Disable Mounting of freevxfs |
-To configure the system to prevent the jffs2
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
-install jffs2 /bin/true
+To configure the system to prevent the freevxfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
+install freevxfs /bin/true
-To configure the system to prevent the jffs2 from being used,
-add the following line to file /etc/modprobe.d/jffs2.conf:
-blacklist jffs2
+To configure the system to prevent the freevxfs from being used,
+add the following line to file /etc/modprobe.d/freevxfs.conf:
+blacklist freevxfs
This effectively prevents usage of this uncommon filesystem.
|
@@ -158,6 +138,26 @@
+ | 1.1.1.3 |
+ Disable Mounting of jffs2 |
+
+
+To configure the system to prevent the jffs2
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
+install jffs2 /bin/true
+
+To configure the system to prevent the jffs2 from being used,
+add the following line to file /etc/modprobe.d/jffs2.conf:
+blacklist jffs2
+
+This effectively prevents usage of this uncommon filesystem.
+ |
+
+Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+ |
+
+
| 1.1.1.4 |
Disable Mounting of hfs |
@@ -622,6 +622,23 @@
|
| 1.2.3 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | 1.2.3 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -649,23 +666,6 @@
|
- | 1.2.3 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
| 1.2.5 |
Disable Red Hat Network Service (rhnsd) |
@@ -686,18 +686,6 @@
|
| 1.3.1 |
- Install AIDE |
-
-The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
-The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
- | 1.3.1 |
Build and Test AIDE Database |
Run the following command to generate a new database:
@@ -725,6 +713,18 @@
|
+ | 1.3.1 |
+ Install AIDE |
+
+The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -799,30 +799,28 @@
|
| 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg Permissions |
-The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+File permissions for /boot/grub2/grub.cfg should be set to 600.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the permissions of /boot/grub2/grub.cfg, run the command:
+$ sudo chmod 600 /boot/grub2/grub.cfg
|
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Proper permissions ensure that only the root user can modify important boot
+parameters.
|
| 1.4.2 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
-The file /boot/grub2/grub.cfg should
+The file /boot/efi/EFI/redhat/grub.cfg should
be group-owned by the root group to prevent
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -42,59 +42,55 @@
| Rationale |
- 3.1.1
3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
-To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Red Hat Enterprise Linux 7's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
-Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -121,27 +117,19 @@
|
3.1.1
3.1.5 |
- Disable SSH Access via Empty Passwords |
+ Restrict Virtual Console Root Logins |
-Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
|
-Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
|
@@ -165,34 +153,23 @@
3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Disable SSH Root Login |
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -217,71 +194,110 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
+ 3.1.1 |
+ Disable GDM Guest Login |
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
+The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,57 +43,22 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
-
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- |
-
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
|
The changing of file permissions could indicate that a user is attempting to
@@ -104,18 +69,18 @@
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
|
Misuse of privileged functions, either intentionally or unintentionally by
@@ -132,87 +97,142 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Mandatory Access Controls |
+ Record Unsuccessful Delete Attempts to Files - unlinkat |
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--w /etc/selinux/ -p wa -k MAC-policy
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--w /etc/selinux/ -p wa -k MAC-policy
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
-The system's mandatory access policy (SELinux) should not be
-arbitrarily changed by anything other than administrator action. All changes to
-MAC policy should be audited.
+Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Ensure auditd Collects File Deletion Events by User - renameat |
+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly |
-At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+The audit system should collect detailed unauthorized file
+accesses for all users and root.
+To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
+of files via open syscall the audit rules collecting these events need to be in certain order.
+The more specific rules need to come before the less specific rules. The reason for that is that more
+specific rules cover a subset of events covered in the less specific rules, thus, they need to come
+before to not be overshadowed by less specific rules, which match a bigger set of events.
+Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), check the order of
+rules below in a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, check the order of rules below in
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
|
-Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+The more specific rules cover a subset of events covered by the less specific rules.
+By ordering them from more specific to less specific, it is assured that the less specific
+rule will not catch events better recorded by the more specific rule.
|
- IA-2
CM-6(a) |
- Direct root Logins Not Allowed |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - fchown |
-To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Red Hat Enterprise Linux 7's
-/etc/securetty file only allows the root user to login at the console
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,20 +43,6 @@
|
AGD_PRE.1
AGD_OPE.1 |
- Install openscap-scanner Package |
-
-The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
-openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
- AGD_PRE.1
AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -76,48 +62,49 @@
|
- | FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ AGD_PRE.1
AGD_OPE.1 |
+ Install openscap-scanner Package |
-The audit package should be installed.
+The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
|
-The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
|
| FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable auditd Service |
-To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
-If option freq isn't set to 50, the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Ensure the audit Subsystem is Installed |
-To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+The audit package should be installed.
|
-Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
@@ -135,24 +122,16 @@
| FAU_GEN.1 |
- Enable auditd Service |
+ Set number of records to cause an explicit flush to audit logs |
-The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
|
-Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+If option freq isn't set to 50, the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
@@ -177,58 +156,44 @@
- | FAU_GEN.1.1.c |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
+ FAU_GEN.1 |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
| FAU_GEN.1.1.c |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -88,6 +88,23 @@
|
| Req-6.2 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | Req-6.2 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -116,23 +133,6 @@
|
| Req-6.2 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- | Req-6.2 |
Ensure Software Patches Installed |
@@ -172,18 +172,17 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
|
@@ -203,17 +202,18 @@
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg Group Ownership |
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
|
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -290,55 +290,71 @@
| Req-8.1.8 |
- Set GNOME3 Screensaver Inactivity Timeout |
+ Set SSH Client Alive Count Max |
-The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
-and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
-
-For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/local.d/00-security-settings:
-[org/gnome/desktop/session]
-idle-delay=uint32 900
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
-A session time-out lock is a temporary action taken when a user stops work and moves away from
-the immediate physical vicinity of the information system but does not logout because of the
-temporary nature of the absence. Rather than relying on the user to manually lock their operating
-system session prior to vacating the vicinity, GNOME3 can be configured to identify when
-a user's session has idled and take action to initiate a session lock.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
+ Implement Blank Screensaver |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings.
+
+
+
+To set the screensaver mode in the GNOME3 desktop to a blank screen,
+add or set picture-uri to string '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+picture-uri=string ''
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
-/org/gnome/desktop/screensaver/idle-activation-enabled
+/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Setting the screensaver mode to blank-only conceals the
+contents of the display from passersby.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max to zero |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,26 +43,19 @@
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall ypserv Package |
-The telnet-server package can be removed with the following command:
+The ypserv package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase ypserv
|
-It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
+The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
@@ -80,6 +73,52 @@
| BP28(R1) |
+ Uninstall tftp-server Package |
+
+The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ |
+
+Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
+ |
+
+
+ | BP28(R1) |
+ Uninstall DHCP Server Package |
+
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp-server package can be removed with the following command:
+
+$ sudo yum erase dhcp-server
+ |
+
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ |
+
+
+ | BP28(R1) |
+ Remove telnet Clients |
+
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
+ |
+
+
+ | BP28(R1) |
Remove tftp Daemon |
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
@@ -94,15 +133,56 @@
|
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
+
+The telnet daemon should be uninstalled.
+ |
+
+telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
+ |
+
+
| BP28(R1) |
- Uninstall talk-server Package |
+ Remove NIS Client |
-The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
+ |
+
+
+ | BP28(R1) |
+ Uninstall telnet-server Package |
+
+The telnet-server package can be removed with the following command:
+
+$ sudo yum erase telnet-server
+ |
+
+It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+
+Removing the telnet-server package decreases the risk of the
+telnet service's accidental (or intentional) activation.
|
@@ -143,63 +223,32 @@
| BP28(R1) |
- Uninstall DHCP Server Package |
+ Uninstall talk Package |
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp-server package can be removed with the following command:
+The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
-$ sudo yum erase dhcp-server
- |
-
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
- |
-
-
- | BP28(R1) |
- Uninstall tftp-server Package |
-
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+$ sudo yum erase talk
|
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
|
| BP28(R1) |
- Uninstall ypserv Package |
-
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -68,51 +68,51 @@
|
| 1.1.1.2 |
- Disable Mounting of vFAT filesystems |
+ Disable Mounting of squashfs |
-To configure the system to prevent the vfat
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:
-install vfat /bin/true
+To configure the system to prevent the squashfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
+install squashfs /bin/true
-To configure the system to prevent the vfat from being used,
-add the following line to file /etc/modprobe.d/vfat.conf:
-blacklist vfat
+To configure the system to prevent the squashfs from being used,
+add the following line to file /etc/modprobe.d/squashfs.conf:
+blacklist squashfs
This effectively prevents usage of this uncommon filesystem.
-The vFAT filesystem format is primarily used on older
-windows systems and portable USB drives or flash modules. It comes
-in three types FAT12, FAT16, and FAT32
-all of which are supported by the vfat kernel module.
+The squashfs filesystem type is a compressed read-only Linux
+filesystem embedded in small footprint systems (similar to
+cramfs). A squashfs image can be used without having
+to first decompress the image.
|
-Removing support for unneeded filesystems reduces the local attack
+Removing support for unneeded filesystem types reduces the local attack
surface of the system.
|
| 1.1.1.2 |
- Disable Mounting of squashfs |
+ Disable Mounting of vFAT filesystems |
-To configure the system to prevent the squashfs
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
-install squashfs /bin/true
+To configure the system to prevent the vfat
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:
+install vfat /bin/true
-To configure the system to prevent the squashfs from being used,
-add the following line to file /etc/modprobe.d/squashfs.conf:
-blacklist squashfs
+To configure the system to prevent the vfat from being used,
+add the following line to file /etc/modprobe.d/vfat.conf:
+blacklist vfat
This effectively prevents usage of this uncommon filesystem.
-The squashfs filesystem type is a compressed read-only Linux
-filesystem embedded in small footprint systems (similar to
-cramfs). A squashfs image can be used without having
-to first decompress the image.
+The vFAT filesystem format is primarily used on older
+windows systems and portable USB drives or flash modules. It comes
+in three types FAT12, FAT16, and FAT32
+all of which are supported by the vfat kernel module.
|
-Removing support for unneeded filesystem types reduces the local attack
+Removing support for unneeded filesystems reduces the local attack
surface of the system.
|
@@ -722,6 +722,23 @@
|
| 1.2.3 |
+ Enable authselect |
+
+Configure user authentication setup to use the authselect tool.
+
+If authselect profile is selected, the rule will enable the minimal profile.
+ |
+
+Authselect is a successor to authconfig.
+It is a tool to select system authentication and identity sources from a list of supported profiles
+instead of letting the administrator build the PAM stack with a tool.
+
+That way, it avoids potential breakage of configuration,
+as it ships several tested profiles that are well tested and supported and that each solve a use-case.
+ |
+
+
+ | 1.2.3 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -749,35 +766,6 @@
|
- | 1.2.3 |
- Enable authselect |
-
-Configure user authentication setup to use the authselect tool.
-
-If authselect profile is selected, the rule will enable the minimal profile.
- |
-
-Authselect is a successor to authconfig.
-It is a tool to select system authentication and identity sources from a list of supported profiles
-instead of letting the administrator build the PAM stack with a tool.
-
-That way, it avoids potential breakage of configuration,
-as it ships several tested profiles that are well tested and supported and that each solve a use-case.
- |
-
-
- | 1.3.1 |
- Install AIDE |
-
-The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
-The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
| 1.3.1 |
Build and Test AIDE Database |
@@ -806,6 +794,18 @@
|
+ | 1.3.1 |
+ Install AIDE |
+
+The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -880,30 +880,28 @@
|
| 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg Permissions |
-The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+File permissions for /boot/grub2/grub.cfg should be set to 600.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the permissions of /boot/grub2/grub.cfg, run the command:
+$ sudo chmod 600 /boot/grub2/grub.cfg
|
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Proper permissions ensure that only the root user can modify important boot
+parameters.
|
| 1.4.2 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
-The file /boot/grub2/grub.cfg should
+The file /boot/efi/EFI/redhat/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
The root group is a highly-privileged group. Furthermore, the group-owner of this
@@ -926,14 +924,14 @@
|
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -42,59 +42,55 @@
Rationale |
- 3.1.1
3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
-To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Red Hat Enterprise Linux 8's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
-Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -121,27 +117,19 @@
|
3.1.1
3.1.5 |
- Disable SSH Access via Empty Passwords |
+ Restrict Virtual Console Root Logins |
-Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
|
-Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
|
@@ -165,34 +153,23 @@
3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Disable SSH Root Login |
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -217,71 +194,110 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
+ 3.1.1 |
+ Disable GDM Guest Login |
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
+The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -43,78 +43,26 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Creation Attempts to Files - open O_CREAT |
-
-The audit system should collect unauthorized file accesses for
-all users and root. The open syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via open syscall are collected.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- |
-
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- | AU-2(a) |
- Configure auditing of loading and unloading of kernel modules |
-
-Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-Load new Audit rules into kernel by running:
-augenrules --load
- |
-
-Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr |
At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
|
The changing of file permissions could indicate that a user is attempting to
@@ -125,18 +73,18 @@
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
Misuse of privileged functions, either intentionally or unintentionally by
@@ -153,109 +101,142 @@
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Mandatory Access Controls |
+ Record Unsuccessful Delete Attempts to Files - unlinkat |
-If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--w /etc/selinux/ -p wa -k MAC-policy
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--w /etc/selinux/ -p wa -k MAC-policy
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
-The system's mandatory access policy (SELinux) should not be
-arbitrarily changed by anything other than administrator action. All changes to
-MAC policy should be audited.
+Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Ensure auditd Collects File Deletion Events by User - renameat |
+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly |
-At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+The audit system should collect detailed unauthorized file
+accesses for all users and root.
+To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
+of files via open syscall the audit rules collecting these events need to be in certain order.
+The more specific rules need to come before the less specific rules. The reason for that is that more
+specific rules cover a subset of events covered in the less specific rules, thus, they need to come
+before to not be overshadowed by less specific rules, which match a bigger set of events.
+Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), check the order of
+rules below in a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, check the order of rules below in
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-07-30 00:00:00.000000000 +0000
@@ -88,6 +88,23 @@
|
| Req-6.2 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | Req-6.2 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -116,23 +133,6 @@
|
| Req-6.2 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- | Req-6.2 |
Ensure Software Patches Installed |
@@ -172,18 +172,17 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
|
@@ -203,17 +202,18 @@
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg Group Ownership |
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
|
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -290,55 +290,71 @@
| Req-8.1.8 |
- Set GNOME3 Screensaver Inactivity Timeout |
+ Set SSH Client Alive Count Max |
-The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
-and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
-
-For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/local.d/00-security-settings:
-[org/gnome/desktop/session]
-idle-delay=uint32 900
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
-A session time-out lock is a temporary action taken when a user stops work and moves away from
-the immediate physical vicinity of the information system but does not logout because of the
-temporary nature of the absence. Rather than relying on the user to manually lock their operating
-system session prior to vacating the vicinity, GNOME3 can be configured to identify when
-a user's session has idled and take action to initiate a session lock.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
+ Implement Blank Screensaver |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings.
+
+
+
+To set the screensaver mode in the GNOME3 desktop to a blank screen,
+add or set picture-uri to string '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+picture-uri=string ''
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
-/org/gnome/desktop/screensaver/idle-activation-enabled
+/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Setting the screensaver mode to blank-only conceals the
+contents of the display from passersby.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max to zero |
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
|
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 7
+1DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V3R7.
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 8
+1DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R6.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -152,7 +152,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -205,24 +205,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -230,44 +225,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -275,19 +265,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -295,24 +296,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -320,29 +321,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -154,7 +154,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -207,24 +207,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -232,44 +227,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -277,19 +267,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -297,24 +298,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -322,29 +323,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,24 +51,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -76,44 +71,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -121,19 +111,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -141,24 +142,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -166,29 +167,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -200,7 +200,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -253,39 +253,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -293,44 +283,39 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -338,39 +323,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -378,44 +369,53 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -202,7 +202,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -255,39 +255,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -295,44 +285,39 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -340,39 +325,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -380,44 +371,53 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -51,39 +51,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -91,44 +81,39 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -136,39 +121,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -176,44 +167,53 @@
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -140,7 +140,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -193,29 +193,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -223,35 +218,34 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -259,74 +253,80 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -142,7 +142,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -195,29 +195,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -225,35 +220,34 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -261,74 +255,80 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -51,29 +51,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -81,35 +76,34 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -117,74 +111,80 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -136,7 +136,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -179,29 +179,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -209,64 +204,60 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
@@ -274,14 +265,19 @@
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -289,24 +285,28 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1756,15 +1756,6 @@
The hashes of important files like system executables should match the
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -136,7 +136,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -179,29 +179,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -209,64 +204,60 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
@@ -274,14 +265,19 @@
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -289,24 +285,28 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1756,15 +1756,6 @@
The hashes of important files like system executables should match the
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,502 +7,502 @@
2022-07-30T00:00:00
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Record Successful Access Attempts to Files - ftruncate
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Ensure remote access methods are monitored in Rsyslog
+
+ Uninstall abrt-plugin-sosreport Package
- ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1
+ ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Verify the UEFI Boot Loader grub.cfg Group Ownership
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- Record Successful Ownership Changes to Files - fchown
+
+ Add noexec Option to /tmp
- ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Randomize layout of sensitive kernel structures
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-kernel_config_gcc_plugin_randstruct_action:testaction:1
-
- Verify /boot/grub2/grub.cfg Group Ownership
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Configure Backups of User Data
+
+ Require modules to be validly signed
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure Insecure File Locking is Not Allowed
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-no_insecure_locks_exports_action:testaction:1
-
- Add nosuid Option to /var
+
+ Limit sampling frequency of the Perf system
- ocil:ssg-mount_option_var_nosuid_action:testaction:1
+ ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1
-
- Ensure LDAP client is not installed
+
+ Ensure SNMP Read Write is disabled
- ocil:ssg-package_openldap-clients_removed_action:testaction:1
+ ocil:ssg-snmpd_no_rwusers_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Configure SELinux Policy
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-selinux_policytype_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Harden slab freelist metadata
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -43,29 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,64 +68,60 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
@@ -138,14 +129,19 @@
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -153,24 +149,28 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1620,15 +1620,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -171,29 +171,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -201,34 +196,29 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -236,19 +226,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -256,24 +257,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -281,29 +282,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -130,7 +130,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -173,29 +173,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -203,34 +198,29 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -238,19 +228,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -258,24 +259,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -283,29 +284,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,520 +7,532 @@
2022-07-30T00:00:00
-
- Disable the daemons_dump_core SELinux Boolean
+
+ All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
- ocil:ssg-sebool_daemons_dump_core_action:testaction:1
+ ocil:ssg-accounts_users_home_files_permissions_action:testaction:1
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Record Successful Access Attempts to Files - ftruncate
+
+ Disable the daemons_use_tty SELinux Boolean
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tty_action:testaction:1
-
- Add noexec Option to /var/log
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Disable Avahi Server Software
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Uninstall abrt-plugin-sosreport Package
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable ntpdate Service (ntpdate)
+
+ Disable graphical user interface
- ocil:ssg-service_ntpdate_disabled_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- UEFI Boot Loader Is Not Installed On Removeable Media
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-uefi_no_removeable_media_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Configure SSSD LDAP Backend to Use TLS For All Transactions
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-sssd_ldap_start_tls_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- Configure AIDE to Use FIPS 140-2 for Validating Hashes
+
+ Add noexec Option to /tmp
- ocil:ssg-aide_use_fips_hashes_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Verify the UEFI Boot Loader grub.cfg Group Ownership
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Record Successful Ownership Changes to Files - fchown
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- User Initialization Files Must Not Run World-Writable Programs
+
+ Require modules to be validly signed
- ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Configure firewalld To Rate Limit Connections
+
+ Verify Permissions on /etc/hosts.allow
- ocil:ssg-configure_firewalld_rate_limiting_action:testaction:1
+ ocil:ssg-file_permissions_etc_hosts_allow_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Limit sampling frequency of the Perf system
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1
-
- Verify /boot/grub2/grub.cfg Group Ownership
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Configure SELinux Policy
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,29 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,34 +68,29 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -108,19 +98,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -128,24 +129,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -153,29 +154,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -144,7 +144,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -187,79 +187,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -267,34 +252,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
@@ -302,44 +293,53 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -146,7 +146,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -189,79 +189,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -269,34 +254,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
@@ -304,44 +295,53 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,2452 +7,2453 @@
2022-07-30T00:00:00
-
- Disable the daemons_dump_core SELinux Boolean
+
+ All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
- ocil:ssg-sebool_daemons_dump_core_action:testaction:1
+ ocil:ssg-accounts_users_home_files_permissions_action:testaction:1
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Record Successful Access Attempts to Files - ftruncate
+
+ Disable the daemons_use_tty SELinux Boolean
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tty_action:testaction:1
-
- Add noexec Option to /var/log
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Ensure remote access methods are monitored in Rsyslog
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Uninstall abrt-libs Package
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-package_abrt-libs_removed_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Disable Avahi Server Software
+
+ Enable the File Access Policy Service
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-service_fapolicyd_enabled_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Uninstall abrt-plugin-sosreport Package
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Disable graphical user interface
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- Disable ntpdate Service (ntpdate)
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-service_ntpdate_disabled_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- UEFI Boot Loader Is Not Installed On Removeable Media
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-uefi_no_removeable_media_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Add noexec Option to /tmp
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Configure SSSD LDAP Backend to Use TLS For All Transactions
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-sssd_ldap_start_tls_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Configure AIDE to Use FIPS 140-2 for Validating Hashes
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-aide_use_fips_hashes_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Verify the UEFI Boot Loader grub.cfg Group Ownership
+
+ Require modules to be validly signed
- ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Successful Ownership Changes to Files - fchown
+
+ Limit sampling frequency of the Perf system
- ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1
+ ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1
-
- User Initialization Files Must Not Run World-Writable Programs
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Configure SELinux Policy
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -43,79 +43,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -123,34 +108,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
@@ -158,44 +149,53 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -112,7 +112,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -155,19 +155,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -180,79 +180,79 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1359,15 +1359,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -1499,6 +1490,15 @@
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
+
@@ -1638,32 +1638,6 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -114,7 +114,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -157,19 +157,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -182,79 +182,79 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1361,15 +1361,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -1501,6 +1492,15 @@
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
+
@@ -1640,32 +1640,6 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,790 +7,790 @@
2022-07-30T00:00:00
-
- Add noexec Option to /var/log
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Enable the File Access Policy Service
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-service_fapolicyd_enabled_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable ntpdate Service (ntpdate)
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-service_ntpdate_disabled_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Add noexec Option to /tmp
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Configure Backups of User Data
+
+ Require modules to be validly signed
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Configure SELinux Policy
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-selinux_policytype_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Ensure nss-tools is installed
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Ensure syslog-ng is Installed
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Uninstall gssproxy Package
+
+ Add nodev Option to /boot
- ocil:ssg-package_gssproxy_removed_action:testaction:1
+ ocil:ssg-mount_option_boot_nodev_action:testaction:1
-
- Limit Users' SSH Access
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Ensure All SGID Executables Are Authorized
+
+ Enable the USBGuard Service
- ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1
+ ocil:ssg-service_usbguard_enabled_action:testaction:1
-
- Ensure rsyslog-gnutls is installed
+
+ Authorize Human Interface Devices and USB hubs in USBGuard daemon
- ocil:ssg-package_rsyslog-gnutls_installed_action:testaction:1
+ ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Enable PAM
/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -43,19 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,79 +68,79 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1247,15 +1247,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -1387,6 +1378,15 @@
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
+
@@ -1526,32 +1526,6 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -116,7 +116,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -159,19 +159,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
@@ -184,59 +194,50 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -244,39 +245,38 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -94988,1528 +94988,1522 @@
2022-07-30T00:00:00
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
-
-
-
- Add noexec Option to /var/log
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -116,7 +116,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -159,19 +159,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
@@ -184,59 +194,50 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -244,39 +245,38 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -94988,1528 +94988,1522 @@
2022-07-30T00:00:00
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
-
-
-
- Add noexec Option to /var/log
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,1528 +7,1522 @@
2022-07-30T00:00:00
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
-
-
-
- Add noexec Option to /var/log
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Enable the File Access Policy Service
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-service_fapolicyd_enabled_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- Configure Backups of User Data
+
+ Add noexec Option to /tmp
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Add nosuid Option to /var
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-mount_option_var_nosuid_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Require modules to be validly signed
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Ensure LDAP client is not installed
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-package_openldap-clients_removed_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Configure SELinux Policy
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-selinux_policytype_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Ensure nss-tools is installed
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1
-
- Set Interactive Session Timeout
+
+ Ensure syslog-ng is Installed
- ocil:ssg-accounts_tmout_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Limit Users' SSH Access
+
+ Record Unsuccessful Ownership Changes to Files - fchown
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -43,19 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
@@ -68,59 +78,50 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -128,39 +129,38 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -148,7 +148,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -191,24 +191,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -216,44 +211,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -261,19 +251,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -281,24 +282,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -306,29 +307,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -150,7 +150,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -193,24 +193,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -218,44 +213,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -263,19 +253,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -283,24 +284,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -308,29 +309,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,2098 +7,2110 @@
2022-07-30T00:00:00
-
- Disable the fenced_can_ssh SELinux Boolean
+
+ All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
- ocil:ssg-sebool_fenced_can_ssh_action:testaction:1
+ ocil:ssg-accounts_users_home_files_permissions_action:testaction:1
-
- Disable the daemons_dump_core SELinux Boolean
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-sebool_daemons_dump_core_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
+
+ Disable the daemons_use_tty SELinux Boolean
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tty_action:testaction:1
-
- Record Successful Access Attempts to Files - ftruncate
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Disable the privoxy_connect_any SELinux Boolean
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-sebool_privoxy_connect_any_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Disable Avahi Server Software
+
+ Uninstall abrt-plugin-sosreport Package
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Disable the httpd_dontaudit_search_dirs SELinux Boolean
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- Disable the conman_can_network SELinux Boolean
+
+ Disable DHCP Client in ifcfg
- ocil:ssg-sebool_conman_can_network_action:testaction:1
+ ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Disable graphical user interface
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- Disable the mcelog_foreground SELinux Boolean
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-sebool_mcelog_foreground_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Require Client SMB Packet Signing, if using mount.cifs
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-mount_option_smb_client_signing_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Disable ntpdate Service (ntpdate)
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-service_ntpdate_disabled_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- UEFI Boot Loader Is Not Installed On Removeable Media
+
+ Disable the httpd_can_check_spam SELinux Boolean
- ocil:ssg-uefi_no_removeable_media_action:testaction:1
+ ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ Add noexec Option to /tmp
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Configure SSSD LDAP Backend to Use TLS For All Transactions
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-sssd_ldap_start_tls_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Configure AIDE to Use FIPS 140-2 for Validating Hashes
+
+ Require modules to be validly signed
- ocil:ssg-aide_use_fips_hashes_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Verify the UEFI Boot Loader grub.cfg Group Ownership
+
+ Ensure Insecure File Locking is Not Allowed
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -43,24 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -68,44 +63,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -113,19 +103,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -133,24 +134,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -158,29 +159,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -196,7 +196,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -239,39 +239,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -279,44 +269,39 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -324,39 +309,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -364,44 +355,53 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -198,7 +198,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -241,39 +241,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -281,44 +271,39 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -326,39 +311,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -366,44 +357,53 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,2284 +7,2290 @@
2022-07-30T00:00:00
-
- Disable the fenced_can_ssh SELinux Boolean
+
+ All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
- ocil:ssg-sebool_fenced_can_ssh_action:testaction:1
+ ocil:ssg-accounts_users_home_files_permissions_action:testaction:1
-
- Disable the daemons_dump_core SELinux Boolean
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-sebool_daemons_dump_core_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
+
+ Disable the daemons_use_tty SELinux Boolean
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tty_action:testaction:1
-
- Record Successful Access Attempts to Files - ftruncate
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Disable the privoxy_connect_any SELinux Boolean
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-sebool_privoxy_connect_any_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Ensure remote access methods are monitored in Rsyslog
+
+ Enable the File Access Policy Service
- ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1
+ ocil:ssg-service_fapolicyd_enabled_action:testaction:1
-
- Disable Avahi Server Software
+
+ Uninstall abrt-plugin-sosreport Package
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Disable the httpd_dontaudit_search_dirs SELinux Boolean
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- Disable the conman_can_network SELinux Boolean
+
+ Disable DHCP Client in ifcfg
- ocil:ssg-sebool_conman_can_network_action:testaction:1
+ ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Disable graphical user interface
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- Disable the mcelog_foreground SELinux Boolean
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-sebool_mcelog_foreground_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Require Client SMB Packet Signing, if using mount.cifs
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-mount_option_smb_client_signing_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Disable ntpdate Service (ntpdate)
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-service_ntpdate_disabled_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Disable the httpd_can_check_spam SELinux Boolean
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1
-
- UEFI Boot Loader Is Not Installed On Removeable Media
+
+ Add noexec Option to /tmp
- ocil:ssg-uefi_no_removeable_media_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Configure SSSD LDAP Backend to Use TLS For All Transactions
+
+ Require modules to be validly signed
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -43,39 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -83,44 +73,39 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
@@ -128,39 +113,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -168,44 +159,53 @@
-
+
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -136,7 +136,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -179,29 +179,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -209,35 +204,34 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -245,74 +239,80 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -138,7 +138,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -181,29 +181,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -211,35 +206,34 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -247,74 +241,80 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,1450 +7,1450 @@
2022-07-30T00:00:00
-
- Disable the fenced_can_ssh SELinux Boolean
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-sebool_fenced_can_ssh_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Disable the daemons_dump_core SELinux Boolean
+
+ Disable the daemons_use_tty SELinux Boolean
- ocil:ssg-sebool_daemons_dump_core_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tty_action:testaction:1
-
- Record Unsuccessful Creation Attempts to Files - open O_CREAT
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Record Successful Access Attempts to Files - ftruncate
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Disable the privoxy_connect_any SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-sebool_privoxy_connect_any_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Enable the File Access Policy Service
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-service_fapolicyd_enabled_action:testaction:1
-
- Ensure remote access methods are monitored in Rsyslog
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Disable Avahi Server Software
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable the httpd_dontaudit_search_dirs SELinux Boolean
+
+ Disable graphical user interface
- ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1
+ ocil:ssg-xwindows_remove_packages_action:testaction:1
-
- Disable the conman_can_network SELinux Boolean
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-sebool_conman_can_network_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
+
+ Require Client SMB Packet Signing, if using mount.cifs
- ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
+ ocil:ssg-mount_option_smb_client_signing_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Disable the mcelog_foreground SELinux Boolean
+
+ Record Unsuccessful Delete Attempts to Files - unlinkat
- ocil:ssg-sebool_mcelog_foreground_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Disable the httpd_can_check_spam SELinux Boolean
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Add noexec Option to /tmp
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-mount_option_tmp_noexec_action:testaction:1
-
- Disable ntpdate Service (ntpdate)
+
+ Randomize layout of sensitive kernel structures
- ocil:ssg-service_ntpdate_disabled_action:testaction:1
+ ocil:ssg-kernel_config_gcc_plugin_randstruct_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Require modules to be validly signed
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Configure AIDE to Use FIPS 140-2 for Validating Hashes
+
+ Disable the samba_export_all_ro SELinux Boolean
- ocil:ssg-aide_use_fips_hashes_action:testaction:1
+ ocil:ssg-sebool_samba_export_all_ro_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Limit sampling frequency of the Perf system
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -43,29 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,35 +68,34 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -109,74 +103,80 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,24 +171,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -196,59 +196,55 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
@@ -256,24 +252,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -281,24 +277,28 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1990,15 +1990,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,24 +171,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -196,59 +196,55 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
@@ -256,24 +252,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -281,24 +277,28 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1990,15 +1990,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,400 +7,388 @@
2022-07-30T00:00:00
-
- Disable the daemons_dump_core SELinux Boolean
-
- ocil:ssg-sebool_daemons_dump_core_action:testaction:1
-
-
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Set the UEFI Boot Loader Password
+
+ All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-accounts_users_home_files_permissions_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Disable the daemons_use_tty SELinux Boolean
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tty_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- disable the selinuxuser_execstack SELinux Boolean
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Configure AIDE to Use FIPS 140-2 for Validating Hashes
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-aide_use_fips_hashes_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Record Successful Ownership Changes to Files - fchown
+
+ Record Successful Permission Changes to Files - fchmod
- ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1
-
- User Initialization Files Must Not Run World-Writable Programs
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Record Successful Permission Changes to Files - lsetxattr
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1
-
- Verify /boot/grub2/grub.cfg Group Ownership
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Configure Backups of User Data
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Require modules to be validly signed
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Enable the staff_exec_content SELinux Boolean
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-sebool_staff_exec_content_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Configure SELinux Policy
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-selinux_policytype_action:testaction:1
-
- Ensure LDAP client is not installed
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-package_openldap-clients_removed_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Ensure nss-tools is installed
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Uninstall ypserv Package
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-package_ypserv_removed_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Ensure SMAP is not disabled during boot
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,24 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,59 +68,55 @@
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
@@ -128,24 +124,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -153,24 +149,28 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1862,15 +1862,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -152,7 +152,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -205,24 +205,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -230,44 +225,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -275,19 +265,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -295,24 +296,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -320,29 +321,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -154,7 +154,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -207,24 +207,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -232,44 +227,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -277,19 +267,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -297,24 +298,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -322,29 +323,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,24 +51,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -76,44 +71,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -121,19 +111,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -141,24 +142,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -166,29 +167,28 @@
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
RPMS.2017/scap-security-guide-ubuntu-0.1.63-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.63-0.0.noarch.rpm differ: byte 226, line 1
Comparing scap-security-guide-ubuntu-0.1.63-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.63-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -184,4 +184,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 41eae236f3a8bf22678db90403e1ffe90501f095a51b2606729a570ee95851a8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html dcf860a427aa2f8902385df197b20f91d65f9759dbb49d7e473a70d0fa5294d7 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 3c6caeb15715889576471db02279b7c629b46d094f904060d2cbdabf9daea80a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 5d3ebdd422ebef971c55ea4afba8bf820e9c011492b40fb497197313d910c8f5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 7e6e2f3b0b3faf97fb7c53814a19508b78d38e4bf7b4f3331d0ada3f2e4c6f23 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html d7c0c3578f6762852afbd2675254477d33cd5bb8aae2be179338c36b91d34576 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html b16a463fd62c9201ed8144418be7665c506b9dc48ce60201f65e3dbba1d58d99 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 7b536ab932accce2ebd5c02a0ae0f97106f4fb2ce7dbb2eb3c1baa545ad36b17 2
@@ -189,6 +189,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html b109681527c50822951be5aa9702469d6f3a73b42c1d5e74836c9191d4d0955d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 6375380b9a80cc62411025e06ef69084044f5ce06c72cd1582865653924943d4 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 071a8798d9e9a21ab9260f8f7910bf897a252a849a213f6773b75dc389e890b9 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 7c5ab094ec96b6e27d70f269df1120d92c9cd80adfaa0a967ebd7da208098af8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html af314bfc71ca14e192b5626dec625cf5987412972d7d768ff5bede32bd04f6cd 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 4ceef8f0602622c62fd18d241e2af4af3b67710648e780ce959f943a98d64ca6 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 5b23ec433f0f7c31056fa6377250b781004a74adda515e61924e9256417b058f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 7a394e534fedd0413d69f2f79c4b702062bf7e7a091a1ab5d049c76e2dd1311c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 982efc96cb3952c5472a826446c610797b7f58240b1d4f10253ea519950087a4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 97bf9cb8a766d26a40bd9f73a8b6ccd67fe1d723bc81d9f4627741d7642d2520 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html cb2e50bd5be36ab69ee9b3166c7918c96faaa63532a37dc30ca0569caa2f03a7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 4004efd3fdd65f511f7c29c5a298bf5a903c447373f806bcf1965957bac21c1f 2
@@ -196,5 +196,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 22f02f146f308935087364dcb04c7a4ed0777de3e9bbfaf9836286800d9ab5a3 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 6f5a740c3a24e0bdfdc3aac3138dcf435b6d5bcd19f25e3d7dee6b0aef948974 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html bb20c26a4b29d9f44a089a6f3eefa3c8d4a4ce292bedb38c5260619adef3469c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 0c897f6ea391740a6c48ec5d2f08f1542885354559a1e7e0fd8bc8ed8f4bc1c1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 6f9572a5a3d2b950a2d51c371eb664b155e9efa9d2ffcd496f0ad9f81f65cd8b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 6290cb22076f82f13cfab428c65e5d8c8354f01e291ffa9b250a865afe110279 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 5c0c696c2bc74b3fc564710dd95f90440b1eb7762bb9c4e6668752e3a89be74e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 003c789a9e5737019bbb0b738606d66ee4fb7fc32daa4d6fa7c1e645ad17ed2f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 153e0cf422b9dff319be144baeab8434e1144d0529b33c782f629fb9fffec7d5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html be0bfaf51eb7bdd6decdbf8518be8c4370784206e21fed4db0d3a21afd56dc97 2
@@ -202,2 +202,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 8c0433ce3526ef6687abaaeba0df6d20dccb98c78ecf622e1c13d1de9fad2f48 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 25c6e1353f789008ed62e89ef55450b129e3f8d00d69981032b52e45e727f70a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 9e4531377cb0d2514dad81e9825d3f68ac537027263901a5fe18407e312bb6f0 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html add25ed2b58b9af269697987f4c2ec8473caac418d77c6aa2a00ad51a18666aa 2
@@ -250,3 +250,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml e2615a2abea54ee547f1eb5cb62afde8e36b3ba41920f3b2510bd5c2e2771ed3 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 74b90c7f1469dd233300b5102c04c27aea7f064e7793ff08f8965336355c3b46 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2959952f8485275179330424a6ee7bfd22062bffaaba74c98c22eebaaf433f5f 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 646eab1aa8668bda573ba27d135a69ea668f5c21b8d37d86fa5d7f5be02caafa 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 9b18264aefbdd0e392dbdf96a0cedd01c5ccf4f315fae23a4b45015266f8aeed 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml fea1f1f00cb05ff9c6dc41644fd8583118198052e602edac3362b8021a51e3a8 0
@@ -254 +254 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml b1da339c17ea8475b0f1e72efbc900c6cb8a89e73f7a2155a57305375ec2165d 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 92ce5954ef6834325b68adc39f5398943d2754ef153d530d680507513902186e 0
@@ -257,3 +257,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 711f5e4c20025266ce85fd5af0481a32f1616bccad5b8ccb834faba7ee485637 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 7849e1ffabe0010aa8f9b02cad6f83edf487bd110ea2087601dd03e7196be221 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 3e67687205f09e826f1d9b2329c3f08c1d633c442521009f26bdb05a750ee5c9 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml de7c15b395e488afddd4050ba4d7e285d49380ee78f7e2442c0df2636bb4e0b3 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 4950ea584f2e5c9b0a2b0d475de6e88561323e3ab437dd6a69dee66c214f74ca 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml cb21f06cd33c4acb119b67791e1009e64d2a2be7c6f2b0b51e6e188b1b5b6b4e 0
@@ -261 +261 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 8c3b1d47a505009b55160088e4ba36f92d0cb6a005737553ea6eea3a2d10637f 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 3f6980cb6afe122d4e46e75b84072f25766cde67ff30e728c6a68a36a151a732 0
@@ -264,3 +264,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml e1d9e505deb526d737d6f6f75c85b9444af4855587e0b29269f9e95acd978400 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 6182946bf12807e2770837921ce8bb43645f5d254e7e16cdcae4839458923276 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml f5b5731c371d25fbdfa099c7bfb15270753530199f14671549c073baa8441210 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 29525f33944812a3c332a6a2031c46138930cf4968fe201ee4d71c2caf947e80 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml d6c79079815fa4fbc6625ee8a1ad9183dc29db240f608a303d8b843119eead7c 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 070ad8e9ea3aff1f1c5a4c3ee8e6fd9632878e394f08e6ccd54a6380e381f35c 0
@@ -268 +268 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 67eeb192ef762e590cbed1e1c36233bb9063bb33bfb94d5a291d1157eef09ee6 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml fa30d6c4a7659c318e95d638999f4b70a35245262c31c2db3fb0ce4a55353b85 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-07-30 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 40 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,28 +387,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,11 +507,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 22 groups and 46 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,21 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 9 groups and 19 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,11 +243,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 21 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,21 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 45 rules | | Group
@@ -230,21 +230,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -283,7 +283,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -484,28 +484,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 40 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,28 +387,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,11 +507,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 22 groups and 46 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,21 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 9 groups and 19 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,11 +243,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,21 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 71 rules | | Group
@@ -1065,7 +1065,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Network Configuration and Firewalls
Group contains 1 group and 2 rules | [ref]
@@ -1185,21 +1185,7 @@
kernel module from being loaded, add the following line to the file /etc/modprobe.d/rds.conf:
install rds /bin/true | | Rationale: | Disabling RDS protects
the system against exploitation of any flaws in its implementation. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled | | Identifiers and References | References:
- 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3 | | |
| Rule
Disable TIPC Support
[ref] | The Transparent Inter-Process Communication (TIPC) protocol
@@ -1230,21 +1230,7 @@
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. | | Rationale: | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled | | Identifiers and References | References:
- 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 | | |
| | Group
File Permissions and Masks
Group contains 7 groups and 41 rules | | To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group- | | Rationale: | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns Backup gshadow File
[ref] | To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp shadow /etc/gshadow- | | Rationale: | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns Backup passwd File
[ref] | To properly set the group owner of /etc/passwd-, run the command: $ sudo chgrp root /etc/passwd- | | Rationale: | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 45 rules | | Group
@@ -228,21 +228,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -281,7 +281,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -482,28 +482,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 81 groups and 189 rules | | Group
@@ -110,21 +110,17 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,18 +166,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,21 +267,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -470,21 +470,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm3
-# from the system, and may remove any packages
-# that depend on gdm3. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -513,6 +499,20 @@
- medium_severity
- no_reboot_needed
- package_gdm_removed
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# CAUTION: This remediation script will remove gdm3
+# from the system, and may remove any packages
+# that depend on gdm3. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -530,21 +530,17 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 78 groups and 188 rules | | Group
@@ -110,21 +110,17 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,18 +166,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,21 +267,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -557,21 +557,17 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref] | The sudo use_pty tag, when specified, will only execute sudo
@@ -597,27 +597,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_use_pty | | Identifiers and References | References:
- BP28(R58), 1.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 92 groups and 273 rules | | Group
@@ -110,21 +110,17 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,18 +166,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,21 +267,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -515,21 +515,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm3
-# from the system, and may remove any packages
-# that depend on gdm3. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -558,6 +544,20 @@
- medium_severity
- no_reboot_needed
- package_gdm_removed
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# CAUTION: This remediation script will remove gdm3
+# from the system, and may remove any packages
+# that depend on gdm3. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -575,21 +575,17 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 92 groups and 275 rules | | Group
@@ -110,21 +110,17 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,18 +166,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,21 +267,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -602,21 +602,17 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref] | The sudo use_pty tag, when specified, will only execute sudo
@@ -642,27 +642,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_use_pty | | Identifiers and References | References:
- BP28(R58), 1.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 22 groups and 45 rules | | Group
@@ -257,21 +257,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, UBTU-20-010182, 4.1.1.1 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -311,7 +311,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, 4.1.1.2 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -512,28 +512,7 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7, 4.3 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.63 - draft
- (as of 2022-08-14)
+ (as of 2038-09-15)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- APT service configuration
- Base Services
- Deprecated services
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 74 groups and 190 rules | | Group
@@ -112,21 +112,17 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -270,21 +270,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -698,37 +698,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | | Identifiers and References | References:
- 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, UBTU-20-010014 | | |
| | Group
Updating Software
Group contains 1 rule | [ref]
@@ -1427,42 +1427,7 @@
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit | | Identifiers and References | References:
- BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, SRG-OS-000071-VMM-000380, UBTU-20-010052, 5.3.1 | Remediation Shell script ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | restrict |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
-
-var_password_pam_dcredit='-1'
-
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit"
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -96,7 +96,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -139,19 +139,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -159,64 +159,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2876,6 +2876,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2897,20 +2911,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -2928,6 +2928,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2949,20 +2963,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -98,7 +98,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -141,19 +141,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -161,64 +161,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2878,6 +2878,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2899,20 +2913,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -2930,6 +2930,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2951,20 +2965,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,412 +7,412 @@
2022-07-30T00:00:00
-
- Disable merging of slabs with similar size
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Configure Backups of User Data
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Require modules to be validly signed
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Ensure nss-tools is installed
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Ensure syslog-ng is Installed
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Limit Users' SSH Access
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Direct root Logins Not Allowed
+
+ Enable PAM
- ocil:ssg-no_direct_root_logins_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Enable SLUB debugging support
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify User Who Owns /var/log/syslog File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_owner_var_log_syslog_action:testaction:1
-
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+
+ The Chronyd service is enabled
- ocil:ssg-sudo_add_noexec_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Configure auditd Disk Full Action when Disk Space Is Full
+
+ Disable X11 Forwarding
- ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1
+ ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ Configure L1 Terminal Fault mitigations
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-grub2_l1tf_argument_action:testaction:1
-
- Verify that Shared Library Directories Have Restrictive Permissions
+
+ Remove the kernel mapping in user mode
- ocil:ssg-dir_permissions_library_dirs_action:testaction:1
+ ocil:ssg-kernel_config_page_table_isolation_action:testaction:1
-
- Verify Permissions on /var/log/messages File
+
+ Limit the Number of Concurrent Login Sessions Allowed Per User
- ocil:ssg-file_permissions_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
-
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+
+ Use zero for poisoning instead of debugging value
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -43,19 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -63,64 +63,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2780,6 +2780,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2801,20 +2815,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -2832,6 +2832,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2853,20 +2867,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -96,7 +96,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -139,19 +139,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -159,64 +159,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3210,6 +3210,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3231,20 +3245,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3262,6 +3262,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3283,20 +3297,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -96,7 +96,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -139,19 +139,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -159,64 +159,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3210,6 +3210,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3231,20 +3245,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3262,6 +3262,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3283,20 +3297,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,778 +7,778 @@
2022-07-30T00:00:00
-
- Disable merging of slabs with similar size
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Add noexec Option to Removable Media Partitions
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Configure Backups of User Data
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Require modules to be validly signed
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Ensure nss-tools is installed
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Limit Users' SSH Access
+
+ Ensure syslog-ng is Installed
- ocil:ssg-sshd_limit_user_access_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Direct root Logins Not Allowed
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-no_direct_root_logins_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Enable SLUB debugging support
+
+ Enable PAM
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+
+ Verify User Who Owns /var/log/syslog File
- ocil:ssg-sudo_add_noexec_action:testaction:1
+ ocil:ssg-file_owner_var_log_syslog_action:testaction:1
-
- Configure auditd Disk Full Action when Disk Space Is Full
+
+ The Chronyd service is enabled
- ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Disable the Automounter
+
+ Disable X11 Forwarding
- ocil:ssg-service_autofs_disabled_action:testaction:1
+ ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ Add nosuid Option to /var/tmp
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1
-
- Verify that Shared Library Directories Have Restrictive Permissions
+
+ Configure L1 Terminal Fault mitigations
- ocil:ssg-dir_permissions_library_dirs_action:testaction:1
+ ocil:ssg-grub2_l1tf_argument_action:testaction:1
-
- Verify Permissions on /var/log/messages File
+
+ Remove the kernel mapping in user mode
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -43,19 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
@@ -63,64 +63,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3114,6 +3114,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3135,20 +3149,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3166,6 +3166,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3187,20 +3201,6 @@
false
fi
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-07-30 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -147,19 +147,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -167,45 +172,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
@@ -213,34 +218,29 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3074,6 +3074,11 @@
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3082,15 +3087,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
@@ -3108,10 +3104,14 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -3210,18 +3210,6 @@
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-07-30 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -147,19 +147,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -167,45 +172,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
@@ -213,34 +218,29 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3074,6 +3074,11 @@
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3082,15 +3087,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
@@ -3108,10 +3104,14 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -3210,18 +3210,6 @@
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-07-30 00:00:00.000000000 +0000
@@ -7,682 +7,676 @@
2022-07-30T00:00:00
-
- Ensure remote access methods are monitored in Rsyslog
-
- ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1
-
-
-
- Disable Avahi Server Software
+
+ Verify Permissions on /var/log/syslog File
- ocil:ssg-service_avahi-daemon_disabled_action:testaction:1
+ ocil:ssg-file_permissions_var_log_syslog_action:testaction:1
-
- Set the UEFI Boot Loader Password
+
+ System Audit Logs Must Have Mode 0640 or Less Permissive
- ocil:ssg-grub2_uefi_password_action:testaction:1
+ ocil:ssg-file_permissions_var_log_audit_action:testaction:1
-
- Disable merging of slabs with similar size
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
- Ensure the audit Subsystem is Installed
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-package_audit_installed_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Verify Owner on cron.hourly
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chfn
- ocil:ssg-file_owner_cron_hourly_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chfn_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Enable Smart Card Logins in PAM
+
+ Ensure /var/log Located On Separate Partition
- ocil:ssg-smartcard_pam_enabled_action:testaction:1
+ ocil:ssg-partition_for_var_log_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Disable PubkeyAuthentication Authentication
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
- Disable /dev/kmem virtual device support
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
- ocil:ssg-kernel_config_devkmem_action:testaction:1
+ ocil:ssg-sudo_remove_no_authenticate_action:testaction:1
-
- Configure Backups of User Data
+
+ Require modules to be validly signed
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Ensure Log Files Are Owned By Appropriate User
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-rsyslog_files_ownership_action:testaction:1
-
- Record Attempts to Alter Process and Session Initiation Information btmp
+
+ Ensure nss-tools is installed
- ocil:ssg-audit_rules_session_events_btmp_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Disable SSH Access via Empty Passwords
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
- Ensure LDAP client is not installed
+
+ Ensure syslog-ng is Installed
- ocil:ssg-package_openldap-clients_removed_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Use Only FIPS 140-2 Validated MACs
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Enable use of Berkeley Packet Filter with seccomp
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-kernel_config_seccomp_filter_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Record Events that Modify User/Group Information - /etc/group
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1
-
- Ensure SMAP is not disabled during boot
+
+ Disable Core Dumps for SUID programs
- ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
+ ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1
-
- Record Events that Modify the System's Mandatory Access Controls
+
+ Enable PAM
- ocil:ssg-audit_rules_mac_modification_action:testaction:1
+ ocil:ssg-sshd_enable_pam_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - renameat
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Set Interactive Session Timeout
+
+ User Initialization Files Must Be Owned By the Primary User
- ocil:ssg-accounts_tmout_action:testaction:1
+ ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-07-30 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -43,19 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -63,45 +68,45 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
@@ -109,34 +114,29 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2970,6 +2970,11 @@
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2978,15 +2983,6 @@
}
}
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: aide
@@ -3004,10 +3000,14 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -3106,18 +3106,6 @@
For AIDE to be effective, an initial database of "known-good" information about files
overalldiffered=4 (number of pkgs that are not bit-by-bit identical: 0 is good)
overall=1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|