~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide
~/f/scap-security-guide
RPMS.2017/scap-security-guide-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-0.1.60-0.0.noarch.rpm differ: byte 226, line 1
Comparing scap-security-guide-0.1.60-0.0.noarch.rpm to scap-security-guide-0.1.60-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide
--- old-rpm-tags
+++ new-rpm-tags
@@ -175,23 +175,23 @@
/usr/share/doc/scap-security-guide/README.md 562c264f1cc27aaa1cc2bc7f8948b7611809f95310a155269c8d9d386cbef988 2
/usr/share/doc/scap-security-guide/guides 0
/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-index.html 24d819602b71d3456c0dae7da24576397e6a75db3e810a3e0537f2a084e19aa2 2
-/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html b139fc13caddd238c372900cae2913365680e8b8b6f8b55a708c3e49ee43becf 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html ca6f074143483b4dcab543c0d87a37eeee2d43393408c4ffaac30dfc36616647 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 481640853b1c046044609782938ce7799253e59a2d10490bbd886ff238edcaf3 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 6bd63ad9442942dd697223970927b30e4e0681ae65036eff7fd220fd65abdfbc 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html c2cdc647c74f01c89a5c26ad6d61e759fdc41e9552d4c4e186f78245a71a348a 2
+/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html ae47cff21a33ae598655485e40c48477f650166c926e98b0a6d7a235cf6961b8 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 257745dc72e01c8c6e5b574fd829d06a717591970de220ea302e8e6ce41ac4fe 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html ae1834a368f261df8b7177aa995f8de787d23008cb50e7964144d68a0c85c659 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 8cf8e04c456031b2d03e15c4d9b60eb0794fb5d46c3ab18956b1c04c0ce5ce09 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 05e2e049adaafa11ba8a50d25c6352b16de4a57fd6dd68a71fbc15f9e339be6f 2
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-index.html c5b92cf7357a90a64d2efd073ee7fe443f3099fc0553d0a700eb87fc72680160 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html ecc06ed555e78907f19cfa95f3de55e9c94c2a1bc7c9dad6a592c3b083fceb49 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html b2589fd4270c8fbf809499e5e49ae3d55bdbcc8ade16387d056c0e316b3b307b 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 9c7d0b75c6cc625b0de018c93626cbf3853c001a74d48442985a76aa4eb63b55 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 633d069b4eeaf9f9a7c40b88cc3bfd4bb761faaccdc29494d8455a5a35733c40 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 45eaca4598c381aa8129eda77f66a0a07b3c44b64dbd859d4cc4fc818d7f8520 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 9a6ab57a80d5caec65d84e0b48bea9696826ba34ec40b366ee469b91c4437714 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html eb1183785cae0b871764c1d19a315b633f869873248e5fe4cdc1364cc0763fe4 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 615dcd7e3b1175e2449c29c832fa0fa56c7b79f625aec042a0d00dbe122f3ff8 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html c36d66da9120e82cbf594c7649b67a75d8cd78229b2bf2fc1bfe601116fbba3c 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html b17e7cc4568ffdc7b6efa03295692261986688900394a5776a37686d114b2aaa 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 98bb7f0b8a675def04976f64ef0e08456446f35688ee9acdd0d5e81fc2ba9b8f 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 70a646614490967b56950fa74ed9298b603c263a9f88f95fddce88fd0415c58a 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html b04a8ed72c712f7b4e144783fcda942ef4a4fa5ff7c5c48c9876f9fe4a6ce59b 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html d4343db0e577cfb26f44e67c7b6250fa17fe7e3dcefd3d3e615109239ea073ff 2
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-index.html 88342f637ca0771f79fc4af081a6343f66ce639f9ac2a9c3061537b9328ce79d 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html e31401d29518fe966a6aa86451a7c9eaa7bd71c0f8d85595f0383d52e8be5b97 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 6ea9c47a39b5a776a53824f63956a31aa815de9de2637224bf5ebd742b473a6e 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 744e09d69df058e8c54b4b4a0c26ae6021027a559567f7994cc6ff0f784d6d0b 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html f57a2d33f9aa0bf4a5ebff3aa735444b5c49c9150f7f56864d2279534026fed1 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html a09dd8821ebd919404305ad416f15dc49fbc51251b23499e08893f8da4f2d6a3 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 72a9ce832aca705c75a0a210377f7bba1ededa98a78455b5b78118d4f2967c2a 2
/usr/share/doc/scap-security-guide/tables 0
/usr/share/doc/scap-security-guide/tables/table-sle12-stig-testinfo.html 2d6f220dd81b1c9e7336b36e2d67f8e71dff158c898d9fc13fdce2ed42d4c5bd 2
/usr/share/doc/scap-security-guide/tables/table-sle12-stig.html 9b7f1d63436763bd089c95bb51d02f225993fd6e4054e12532df8640fb3c09f3 2
@@ -241,25 +241,25 @@
/usr/share/xml/scap/ssg/content 0
/usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-dictionary.xml e74fe69303dc5c832394ad561fca005b8c51dd5e2f1fc6c1226c01adcdc41555 0
/usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-oval.xml 83ca184b4d7108f3eea071d90492d7fa52a69e57ae303d9a383caca621dee248 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2825cabecabe02530f11b91ab5d6a6cba0eca98840098b3eaec15fba003611c2 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml c7b505dfbe2396e8bc24b8533d489718f90244b775e39592a65f57e8c136fa6d 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 4c433fbbdb71a9bdd14cbe5c7f3ea8a76446ed9ca5ba1d2d5c94868b83476bd4 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 6833dee8e023b42f48ce0e24028d6353f8f27caed9cd41e88fe3a5d0d30ef1ee 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 0daa2d228a75c4aeccbb9b310d18b263f1e4f1497bc29d0ee9a0e52b27e5463d 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml c579edfd5774502707e1e06c239d5d2510dbc6650f7670703e5e922a21d35369 0
/usr/share/xml/scap/ssg/content/ssg-opensuse-oval.xml 99c2236258011126a26b06911e9c6c2d2dbe2cf7b3b88884a38406e7bcdc0009 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml aa3de512d123a41e43b443334ad1560bc8cff9d013c589a5bdc862407e50d19b 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 6d026d291a0c6552529e9fca5a66396cde586a411c2793cd561e7f412b8bf693 0
/usr/share/xml/scap/ssg/content/ssg-sle12-cpe-dictionary.xml 87cbf0ec173473eb057058a903543caf888104c4d8b57fc5bcf33a5a0436e5c4 0
/usr/share/xml/scap/ssg/content/ssg-sle12-cpe-oval.xml 69c6cc5b20a165930e8bfc29b81b33e35c9bf04800b99125ecbe7fce2e89c277 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml c4f391a0c4ca369f322c6e1d8ed91e84c8a4569ffaaf0094c7c12a8ccb73c3f0 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml f90e76278461b1e9bfb3ba9d8ffa32d4f0fbb41288d62bba17c94790a887f736 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 88f34828749bc36510d3cf0e41523cca9f59a95fa3d23cc188ed2fe739a376fe 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml ff15359dc83020a2899a26cc89101b3223dbd9798d4b891b2d6c76ead1f9131e 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 95d2533cbfa890760e2957ba06576577091702eb798dfefacb755eeba4f1de5b 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml f16d377a0e9710d43676653194072f673102b65cf936b702eef23ded6c77db4a 0
/usr/share/xml/scap/ssg/content/ssg-sle12-oval.xml 35b9a24ad4cd968895303fb06a0cfe336fc76d340afe87c497365ea3b67c10af 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 865b32bb91d9512491e373f5efa9247e11d26814478d873ee9567051436445c9 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 099ea6e73a1b0165f17394ef10340a076852874f2c8f023b788c3a063bb27d3a 0
/usr/share/xml/scap/ssg/content/ssg-sle15-cpe-dictionary.xml ac6771fb31b41063b1f22199798b68efe280ec48843a41fe8eceac8d4f9cc915 0
/usr/share/xml/scap/ssg/content/ssg-sle15-cpe-oval.xml 82f3be46d1784faaa2991d1a5610105b649d9d999695756bfc3d60b37ab93632 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml b230545c3b559dbae0106293b063f1dffab813191d993ac091898d0fa7abc916 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 60ec759cc3dae50b68bc71677cc63926b96fc266707dcd3e918b6b7398ba52b9 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 00374eb125010bac63bd56d816813e96ccefa6afa5ff904cf505665511fc28d5 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 32cd2f3827f0e31ab40cffda06362aaf5efbffb7e3480a110138775027587703 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 7278e7f239fa444c8ec50123371d128d3832bdd1896ffc331d30d3d308dafe5d 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 813f80f5fc30b5843651704ddf5950c1f8643b2abde0dee4c60b223eae30c7c9 0
/usr/share/xml/scap/ssg/content/ssg-sle15-oval.xml fe7a0b3b2ba31ba8f91972d2c4879c81e9751369fa9c94b3cc6c676e521ad5c4 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 0f801c74e007a9064849ef750f262ac40e3c0892d9f5e6b7199b1f9026f7350e 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 092756348dd4fcb582d44a169fcc2a4b703891475c59f5b33b9b20532fe20925 0
___QF_CHECKSUM___
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for openSUSE</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:42.1 is applicable to this Benchmark">cpe:/o:opensuse:leap:42.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:42.2 is applicable to this Benchmark">cpe:/o:opensuse:leap:42.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:42.3 is applicable to this Benchmark">cpe:/o:opensuse:leap:42.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:15.0 is applicable to this Benchmark">cpe:/o:opensuse:leap:15.0</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OPENSUSE"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OPENSUSE"><span class="label label-default">Group</span>
Guide to the Secure Configuration of openSUSE
<small>Group contains 4 groups and 3 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OPENSUSE"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 12
<small>Group contains 100 groups and 257 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 12
<small>Group contains 89 groups and 194 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 12
<small>Group contains 83 groups and 191 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 12
<small>Group contains 98 groups and 256 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for SUSE Linux Enterprise 12</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 12
<small>Group contains 4 groups and 3 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for SUSE Linux Enterprise 12</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 12
<small>Group contains 83 groups and 229 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 109 groups and 279 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 97 groups and 216 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 91 groups and 213 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 107 groups and 278 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -73,7 +73,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 54 groups and 133 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 48 groups and 109 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for SUSE Linux Enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 44 groups and 115 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for SUSE Linux Enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>
Guide to the Secure Configuration of SUSE Linux Enterprise 15
<small>Group contains 83 groups and 235 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -12559,154 +12559,154 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
+ <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -12559,154 +12559,154 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
+ <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,154 +7,154 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
+ <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="OPENSUSE" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of openSUSE</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -53,9 +53,9 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -68,6 +68,11 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_postfix">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
@@ -78,19 +83,9 @@
<fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_postfix">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
<platform id="cpe_platform_grub2">
@@ -103,19 +98,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -24381,802 +24381,802 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-file_etc_security_opasswd_ocil:questionnaire:1">
- <ocil:title>Verify Permissions and Ownership of Old Passwords File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_etc_security_opasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-banner_etc_gdm_banner_ocil:questionnaire:1">
- <ocil:title>Modify the System GUI Login Banner</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-banner_etc_gdm_banner_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-run_chkstat_ocil:questionnaire:1">
- <ocil:title>OS commands and libraries must have the proper permissions to protect from unauthorized access</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_ocil:questionnaire:1">
+ <ocil:title>Disable Kernel Parameter for IPv6 Forwarding by default</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-run_chkstat_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_strongswan_installed_ocil:questionnaire:1">
- <ocil:title>Install strongswan Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_strongswan_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure zypper Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-gui_login_dod_acknowledgement_ocil:questionnaire:1">
+ <ocil:title>Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_host_based_files_ocil:questionnaire:1">
+ <ocil:title>Remove Host-Based Authentication Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -24383,802 +24383,802 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-file_etc_security_opasswd_ocil:questionnaire:1">
- <ocil:title>Verify Permissions and Ownership of Old Passwords File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_etc_security_opasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-banner_etc_gdm_banner_ocil:questionnaire:1">
- <ocil:title>Modify the System GUI Login Banner</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-banner_etc_gdm_banner_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-run_chkstat_ocil:questionnaire:1">
- <ocil:title>OS commands and libraries must have the proper permissions to protect from unauthorized access</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_ocil:questionnaire:1">
+ <ocil:title>Disable Kernel Parameter for IPv6 Forwarding by default</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-run_chkstat_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_strongswan_installed_ocil:questionnaire:1">
- <ocil:title>Install strongswan Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_strongswan_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure zypper Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-gui_login_dod_acknowledgement_ocil:questionnaire:1">
+ <ocil:title>Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_host_based_files_ocil:questionnaire:1">
+ <ocil:title>Remove Host-Based Authentication Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,802 +7,802 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-file_etc_security_opasswd_ocil:questionnaire:1">
- <ocil:title>Verify Permissions and Ownership of Old Passwords File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_etc_security_opasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-banner_etc_gdm_banner_ocil:questionnaire:1">
- <ocil:title>Modify the System GUI Login Banner</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-banner_etc_gdm_banner_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-run_chkstat_ocil:questionnaire:1">
- <ocil:title>OS commands and libraries must have the proper permissions to protect from unauthorized access</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_ocil:questionnaire:1">
+ <ocil:title>Disable Kernel Parameter for IPv6 Forwarding by default</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-run_chkstat_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_strongswan_installed_ocil:questionnaire:1">
- <ocil:title>Install strongswan Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_strongswan_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure zypper Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-gui_login_dod_acknowledgement_ocil:questionnaire:1">
+ <ocil:title>Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_host_based_files_ocil:questionnaire:1">
+ <ocil:title>Remove Host-Based Authentication Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_host_based_files_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SLE-12" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of SUSE Linux Enterprise 12</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,14 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
<platform id="cpe_platform_audit">
@@ -58,29 +53,29 @@
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_zypper">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:zypper"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sudo">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sudo"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_sudo">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
<platform id="cpe_platform_ntp">
@@ -88,24 +83,24 @@
<fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_zypper">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:zypper"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
<platform id="cpe_platform_sssd">
@@ -113,19 +108,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -28572,2062 +28572,2057 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-file_etc_security_opasswd_ocil:questionnaire:1">
- <ocil:title>Verify Permissions and Ownership of Old Passwords File</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_etc_security_opasswd_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-banner_etc_gdm_banner_ocil:questionnaire:1">
- <ocil:title>Modify the System GUI Login Banner</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-banner_etc_gdm_banner_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_ocil:questionnaire:1">
+ <ocil:title>Disable Kernel Parameter for IPv6 Forwarding by default</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_strongswan_installed_ocil:questionnaire:1">
- <ocil:title>Install strongswan Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
+ <ocil:title>Verify permissions of log files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_strongswan_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure zypper Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1">
+ <ocil:title>Require Encryption for Remote Access in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
- <ocil:title>Verify permissions of log files</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -28574,2062 +28574,2057 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-file_etc_security_opasswd_ocil:questionnaire:1">
- <ocil:title>Verify Permissions and Ownership of Old Passwords File</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_etc_security_opasswd_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-banner_etc_gdm_banner_ocil:questionnaire:1">
- <ocil:title>Modify the System GUI Login Banner</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-banner_etc_gdm_banner_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_ocil:questionnaire:1">
+ <ocil:title>Disable Kernel Parameter for IPv6 Forwarding by default</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_strongswan_installed_ocil:questionnaire:1">
- <ocil:title>Install strongswan Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
+ <ocil:title>Verify permissions of log files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_strongswan_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure zypper Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1">
+ <ocil:title>Require Encryption for Remote Access in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
- <ocil:title>Verify permissions of log files</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,2062 +7,2057 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-file_etc_security_opasswd_ocil:questionnaire:1">
- <ocil:title>Verify Permissions and Ownership of Old Passwords File</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_etc_security_opasswd_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-banner_etc_gdm_banner_ocil:questionnaire:1">
- <ocil:title>Modify the System GUI Login Banner</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-banner_etc_gdm_banner_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_ocil:questionnaire:1">
+ <ocil:title>Disable Kernel Parameter for IPv6 Forwarding by default</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_strongswan_installed_ocil:questionnaire:1">
- <ocil:title>Install strongswan Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
+ <ocil:title>Verify permissions of log files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_strongswan_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure zypper Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1">
+ <ocil:title>Require Encryption for Remote Access in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
- <ocil:title>Verify permissions of log files</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SLE-15" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of SUSE Linux Enterprise 15</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -43,34 +43,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_audit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_audit">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:audit"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_zypper">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:zypper"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:pam"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_login_defs">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
<platform id="cpe_platform_sudo">
@@ -78,24 +83,24 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
<platform id="cpe_platform_ntp">
@@ -103,14 +108,9 @@
<fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_zypper">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:zypper"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -118,14 +118,14 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_sssd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -133,14 +133,14 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
RPMS.2017/scap-security-guide-debian-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.60-0.0.noarch.rpm differ: byte 226, line 1
Comparing scap-security-guide-debian-0.1.60-0.0.noarch.rpm to scap-security-guide-debian-0.1.60-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -161,24 +161,24 @@
___QF_CHECKSUM___
/usr/share/doc/scap-security-guide 0
/usr/share/doc/scap-security-guide/guides 0
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html da4bdfa700556dc2904ee9cae20fd49398a5679ed9aab4fa0cd316a4f8b16afb 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html b8870e377fe99aaa8b20d2b46143add05f6a98f6e0251838007523ea35fc7e43 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 62552ac4c80460cde6248fecb321532ac2528f3dea1ea75d47d5d7c9d93590e1 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html f6ccf76b6b1773d840f3fb5ae04335bf4bf6bfc60334bccc8286c32e407293f9 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html cfc02e92c68f9c4e8e09aa5c2f9bdc919dc77a2c0163caae69d02685d92c9f63 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html b585b39098a8f024d53715f134aceafd5995b8a6fc81de487ed034dec1583c8d 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 24d19a2a95af4d7f297a2a177299e0561095e0dca9729cc436c23f0a1a6fe0b8 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 47c6d493120d9f39fdf742179c1d799730c60eda6778f45aa1eceb9960cc1ce2 2
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-index.html 4c70fb844d3eb9dfa68aa23fe7434bdc1afbc721c881fa867a2ebb1b727f868d 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 0d19b28834c2ecf7cf713e05f5f6104e55aab2b670dddfc5162000e24adb6258 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 8f1f4d00b3020508eb0aec03c1154163a50b5c691f86bb312074ba39ca3a1126 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html ac6b4c890527fa3bd1b62c85ee058c3df17d3a9a3c4946bb0904623d3031641f 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 758ea384eebf6b2c35641fa350bad8b8533c70ba2fde394f3011b532f6d810c4 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2ebd9fec4ecf948fdd696597123f917170920c48a51317139e74bcafb57444ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html f4b32bba27ec91ea6dabc90f169cced72fcb6f5f3c2296fb4938be1f8d6467f8 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 25397533828383041cd2cd50948c8a4213d7d437f3663b67e9f81ff223fc2421 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html d47f4b3c376da8fe2990ae40a6a57426ae2101922bf3f8863991c69325ad12d9 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 96ae934f52e42120fc6ec140e21fb560367a03356f088bb02bfc6c97864f8075 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 6e45ae059e48c57afa1a0591c9abd6fb68eacb36bf6ac9384e75a393d30233a8 2
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-index.html 526b0320e62ca31b4985a3c2e0c0030ce2793c88feeb98a45d5f3ab36965e8ea 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 480b4d76d2617f5f4a130f589ebbaf2681be8a8a32864edda2c94558542dfc96 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 96b5453633c9ab9e748d4bed110257f43d54f3f64cbfeb2668c36217d90003d1 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 66b14c006480c61ff79c7f1cf2125d22a13ce9fc3e3b4aec0fb04a55d5b574ff 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 989aae90ffbb7d054549afe2c291e5dc6a184b990f71add159c069551b2a0a0e 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 1ac467d63238d9d7acb53417a017eb1efc98fe851a319d9b27d2c691883928c2 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 4a206d459fc060aaa8fc871e0f165fa774fa2ac93be2bcb9472a3d10a0121d06 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 732c4cd561cdba7db71f94ce93db1ee15c41d4f700665018d0e47da5509411b0 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html b9a9ac927bc100e78dd1bfa90e73127915893d5a2201c557885467928f97ed87 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html f33d9ea5284936f0e5c9b7b5bfa2f562830e29d5a01f97e6fef5aed3245eba46 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html c0fc76600a36fa53c50cd3f3536e9b1777d7155c4dbce6a68e16d94a314280e2 2
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-index.html c7ed843f644f07aa2581c84b2b1bd64acf5640908c83cfef7ba12db77fd172ec 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html a7cbc4ba7f72d5910570785efaa5faa938801a1ddd3dcb480a0b7405061a5d1f 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 3109f8b056ee934b4baef2080a08e1955d290a66aa8eed838de575298a324685 2
/usr/share/doc/scap-security-guide/tables 0
/usr/share/licenses/scap-security-guide-debian 0
/usr/share/licenses/scap-security-guide-debian/LICENSE ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298 128
@@ -221,25 +221,25 @@
/usr/share/xml/scap/ssg/content 0
/usr/share/xml/scap/ssg/content/ssg-debian10-cpe-dictionary.xml d27baca83f907e1d7e4a6093e9f78474c2dbd5d043c895f79c0a692e5e8582d2 0
/usr/share/xml/scap/ssg/content/ssg-debian10-cpe-oval.xml e9c0b69349485bea7f4f16613784387c210befe5ecb8434a2417e23a5bf87997 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 095de58bfb22e81716a7f413b99551b72ba8771db145ce843553d9648acd06b6 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 0576a4d080b61e41ea6bdd78e1c49433ea70eb24538d62671f590bd0ad5a795a 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 79f471613bb86040a9f8252fb6f909ff84ab85c802f366d835a4961e8e7548fa 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml d9a66a2ec48b7e59c008b31da767837bad2223b428684fbcf61894d7f5454488 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml db07661593a0c8bf862c2829deae83557514ecf11edee7517a2f64f0b8d762c3 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml f8ca72d93791c63c58155f9ddd7d26b3b1fafe949783a887f4f389bad268fda1 0
/usr/share/xml/scap/ssg/content/ssg-debian10-oval.xml 049a6e32fcad7c91789e4ede1f90776ba47866305495669fa0f2ebdf7e0f2351 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 5de9d035c64324490814b5b0c4366c583cbeebb8e04b1fd70b5ebd55daba81a4 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 5d417062e87f5ea22c57a9ef8925ac084ba6bb20f6ced5de9213bbe50c9ba86f 0
/usr/share/xml/scap/ssg/content/ssg-debian11-cpe-dictionary.xml a7bb5d3760c4f041cb7bb9518a32f14642eb9ac2a5dbbd58fa994f3d8cc8f142 0
/usr/share/xml/scap/ssg/content/ssg-debian11-cpe-oval.xml 49c4ef25ee5d257130bb9f41ec7f74eb2fcf856f36e2a74fc771205655e58333 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml f70376f7b69455297333f8d3fbd37c07ccfb4a79d0893e0075d5587206d34878 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml f6762e3dcd999455f54956d4cae27657016fa6988111b7d6f2616243d937fd0b 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 79f471613bb86040a9f8252fb6f909ff84ab85c802f366d835a4961e8e7548fa 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 7ebac849f407b2d8eb249bb8556cbb531e66d37865c66e8348728910ed884b21 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml f2b4e110b71b320385efdca0e66f7a31fda39afdca88f09e89cfe71c789abc57 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml f8ca72d93791c63c58155f9ddd7d26b3b1fafe949783a887f4f389bad268fda1 0
/usr/share/xml/scap/ssg/content/ssg-debian11-oval.xml 127cdb9972403755bdc268242b984c26a4a0fc91c2a30a6fba3edc19e4532467 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 04b353a93121db0d4d74a561a52f4a358ccc3c15f0b2fabccb0392cbff1944a2 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 971fbf8a0c7d857245ba32421541ff2bb4d076512bf2dda9896ed640569845da 0
/usr/share/xml/scap/ssg/content/ssg-debian9-cpe-dictionary.xml 2094791bef1ba62d6b2719ba4ceb602d66c6da73357cf9377c78c0af5df0414e 0
/usr/share/xml/scap/ssg/content/ssg-debian9-cpe-oval.xml 6f56634ae0f990b447bd39244e0cedcfe0cdd2be6d726dc7ffec06a874f74e7d 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 4f2b4d065151356443c1e74241bbdb3cc2da3782c2b2ef2c76c90763c7004713 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 21debda87b1e66a2f82ef8389141a9066f5d362328a6cc00e0dafbbf031164c8 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 79f471613bb86040a9f8252fb6f909ff84ab85c802f366d835a4961e8e7548fa 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 555dbff887ab0530f78d67089bbce7aa785b4675d1438a73acc68ec85387e13a 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 68f783bdf767a96ed9ed6229889ccca32deaa33a3b63fe99686cc715d6b32072 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml f8ca72d93791c63c58155f9ddd7d26b3b1fafe949783a887f4f389bad268fda1 0
/usr/share/xml/scap/ssg/content/ssg-debian9-oval.xml f8612f0abe5a40a7f783a896e0a60590d4c2f42a34598fa6ea4cb936416985d3 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 20f9b47c36c74bc2f01432d77ea54a342ec4b615f33ff195752210878ddacd21 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 1ec7069a6b64313e9292630ee699050a9bfa665d5a4fe76138e9b2db7a059312 0
___QF_CHECKSUM___
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 10
<small>Group contains 20 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 10
<small>Group contains 23 groups and 50 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 10
<small>Group contains 11 groups and 24 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 10
<small>Group contains 22 groups and 49 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Debian 10</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 10
<small>Group contains 19 groups and 44 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 11
<small>Group contains 20 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 11
<small>Group contains 23 groups and 50 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 11
<small>Group contains 11 groups and 24 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 11
<small>Group contains 22 groups and 49 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Debian 11</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 11
<small>Group contains 19 groups and 44 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debianproject:debian:9 is applicable to this Benchmark">cpe:/o:debianproject:debian:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 9
<small>Group contains 20 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debianproject:debian:9 is applicable to this Benchmark">cpe:/o:debianproject:debian:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 9
<small>Group contains 23 groups and 50 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debianproject:debian:9 is applicable to this Benchmark">cpe:/o:debianproject:debian:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 9
<small>Group contains 11 groups and 24 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debianproject:debian:9 is applicable to this Benchmark">cpe:/o:debianproject:debian:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 9
<small>Group contains 22 groups and 49 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Debian 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debianproject:debian:9 is applicable to this Benchmark">cpe:/o:debianproject:debian:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Debian 9
<small>Group contains 19 groups and 44 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13907,178 +13907,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13907,178 +13907,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,178 +7,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="DEBIAN-10" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Debian 10</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -53,9 +53,14 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_gdm">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -68,6 +73,11 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_postfix">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
@@ -78,24 +88,9 @@
<fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_postfix">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_net-snmp">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
<platform id="cpe_platform_grub2">
@@ -108,19 +103,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13907,178 +13907,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13907,178 +13907,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,178 +7,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="DEBIAN-11" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Debian 11</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -53,9 +53,14 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_gdm">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -68,6 +73,11 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_postfix">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
@@ -78,24 +88,9 @@
<fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_postfix">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_net-snmp">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
<platform id="cpe_platform_grub2">
@@ -108,19 +103,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13907,178 +13907,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13907,178 +13907,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,178 +7,172 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
+ <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
+ <ocil:title>Build and Test AIDE Database</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="DEBIAN-9" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Debian 9</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -53,9 +53,14 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_gdm">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -68,6 +73,11 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_postfix">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
@@ -78,24 +88,9 @@
<fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_postfix">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_net-snmp">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
<platform id="cpe_platform_grub2">
@@ -108,19 +103,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
RPMS.2017/scap-security-guide-redhat-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.60-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.60-0.0.noarch.rpm to scap-security-guide-redhat-0.1.60-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -658,167 +658,167 @@
/usr/share/doc/scap-security-guide 0
/usr/share/doc/scap-security-guide/guides 0
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-index.html b8098d1ba1aa63d7b64a145bb3026b19f19f5678259c1adcc3322b4428e1fb3f 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 1fc8ffbbebb1a47588ac158327be2f5d49f2eb868579d3b517c69ca927a3e186 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html b55e89b1b99ed5336fb4e372100656be8837d6edc6438603c6e46ea8ecf7a9b3 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 1b4fdf5ddfa087f088aed92093734ec50e8a33122e1f2eb691e580567768990a 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 8592adb650e5b9472fb29f84ba3aa15feb155132d2f34a968dfb2ceb2c2d88b7 2
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-index.html 63006fe83c8d2cf38fab118acc2f3ae85c7b5d6e4e5190c532e5c34de4e7b686 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html eb6911d1fb8309f85d68c53dc621dc425c19845f2b9aaf50fc6146819eb056e9 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html cf8576b9818ab67a503997ee49f812a9f3f6d30642597f921e3781c811a19ced 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 1497a5f7f6ea711d62c148593d0c33346d72bc6fdcfc3192d30d37dace46d493 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 556f3f0d3e7bdb7b8e30bc7a9e2d8be9e092fbe2bede991c6ffc97ad7ea40261 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html b096157108fa2d9f474b844c6221336fec5742f0447cacc1021543ca530a4740 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html ef2a12a5a6a9a1bf464d0cd8caecd5f541a73dfaa67289acc83f7d89cab6d791 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 4d5e92f019ecb741be4fc5dcd482afe0d8abee9327a6018d3e06dc2ca628bd66 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 1b712b914a64c11ea29192f72aa5487b6b8955d187a2f0abdd4c491deb5806b6 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 92651a76b020bd645c993074e90141aa07e1d0942e097ed779d3a3f3f3231e3a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 80521569cb32cd8852e923693bc08b585103c206a321f894007b5343d4b6c5cf 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html f2b42137e4a30d845b5d91fe5cb143a0633787d1c1f506cb6e61287081bcd39e 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 0d964b0b644c9a4e1f0e18b7ffd482530bed51a69f4ac0fc91afccb4b5a65ee9 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 6bbe7fac32ff24e5056b828ef3cb12bca1344dfca16f96be5efe9c8e85c94143 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 340c5c9103b840aead626e8f225793c3c52ea7bd55508a48eab5748dfbfee445 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 87cadd76b2ff9ab235381fb788b815cccccb57de4f660262a114031b723ecaff 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html b1610fc1e918e9aeb996ce125cdaddc52021ccea473bd3a7e22bbf98204bdeef 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 087e26b34c1d8c111cab83f7d1538d90dd1e0da90e0111e73e3673cf73134f7b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 1f9e840fe291d1d53118795a6cb0e4d589bd1ac7b7f5dd6562a5d8f6d5cede4f 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html e36cdc68bc5134385b9bfd9be28cbb2bf407dd9c7df92bef251f0005750b31b9 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 390782ef02c6d8ae523f5ec37e806b238f77acc80ba0e21ce7b167175c71944a 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 84dd5c2756742175c014d72deff9ad4aa853b2e57ac12433c8712ddada0f3070 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 304520533ffc7aeb565f61afa585f682648d3f6a9202498dda4e9d7b05ade981 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html dd7815708bbede87d58792fa371a6670e03cc280b687c863d827ef929c13501c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html e832c9ff0a717a1008c1cbd23e9047ffd1d11e5fceee5f4007c3caa9dd1da7f2 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 06c779412abd84f1cedf001b78ea74821da92356734407482255dcfdc7c1f67d 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 1e8c09b49a49a15e41459a9189ec4161ccaf9c74674fa05a60c7d1d3fafaeeac 2
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-index.html d9eec209fd0c83f74f8bb5b2db011302408848b2902116881be02e3bb619f2a8 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2e3ad42f08a05dd78dd84bd9228e22f985f36daab466900a56b8e303d406b692 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 9a98a62957cffe1f58ea6d0c4a1453ef7efca14ab7978ec78042316d03da0262 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 6dc97118319abcaf11b293cb88962cf14baf15d57bdb662a547a73d602ee1049 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html c2e6ecb472cd1055c2bed7815f2de96e056bce69d24d9466d076480b1d9766df 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html aed6892814821f1ea833cc0b1d41440578c07c7c2c92f11dbb43448b8a58176e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 61ece73063746f061a170a5272c1d235f8de545380ad159a9b92b24300282e74 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2593d4a9d99062cd662106d708fbb4ae2fb6f3370429ea5bb96c64020040d993 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 32527cf564db929d12e083f3818a17bdaa9c487604c0bf2935ac9b294e7831ea 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 7f29c74a794b0e269f5b07397984a9eac2b6a39eb4df551c4a71078acccdb207 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html ff305d6b3e72115d2229a58ab368bdbc53bf4edf07539aae7a3a523b0842943b 2
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-index.html 7ee7973f24efadd8a5701116316ef6396681d7ee39ea4c7412dec9e6dbd03ab6 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html b8df8112cae77a267ae74422fad68b5425e19570694f2d5df3d639a7508cf2b8 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 7f73431beeed0e6fc3108c48eda2cbc2714691d03ed559f12f513761fcc769da 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html aa4470c1ecab4c30e1764ace226c8b66b981787a2e976e091e6601ac8dccfb1b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html e466dc6d00394dd4c007bdf6b9fc87260725937dd9a796a55cc285342af11541 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html ea53873cfb946e4aa94d969aa2f353dbfc7ba9cb7e9a8ec9171e0a39a0e71ac0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html d9f20bb66e74311912358cc8c9b44ad047fc6e7b577788f2eb29cbfb1cdf0552 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html fed597efb1a8a02e33f75bef1c57cbfa16525d35080ad32edc08c949ffa61df8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 5b1c7d5b92f4d87344d40999acd62a1e3efe9fbcab5487759a87971a4251a5db 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 6ada2317f4ad5717101a2ad4de7d9fb43f0e4501e794d49929f6f229f127ba19 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 6e05db5646a18cc213d0438984211970dcaca8d3995b853d97cc43096474e84b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html dc8df2de4dcc6e195e55a7118bd1e396081b627a60c2b4d6ee1d0f0b4b7118d2 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 72970744ec8bfa88966708c45b2a7f9f5ff5bb5e508d746d7bfb446ea346e95d 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html ed83e5b5252e93732e986a7595acf1230c346d0a67aa656c0f78230dfbcb916b 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 00302b0257e11449085730398e6e72446248209e27d1558c015213b0b5b7d1f1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 0ed6123617b9cd7ecd0e2c20d49999e34cee9c28f6a2ea950bbfb359ddaa52e9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 9e2e3fc0ce1fe449cb58720bbcd699b825d4c7e87226308d9cc97a0720e90d5e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 1ad13cb5c2a1fb70c05dc707be587b3a03dbfb73d36619fa8e4ba0dde0399b62 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2e0ef4e789ccced1f2bd908d70134dabf3a90aa1271b2e87074a8de79364d4b8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html e8c5a358111373a2ec780941c6dc4a4733f4340391d6df8e2a59069b23240ea4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 5ccd031ad57f15e417ad95226012ef08ce304ca7b0b3ec6bfca451ef3e7294fa 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 525c4bbe75fb0553e14aa46611bd9156b12eb0a601979f7b50c76269fdb290de 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html de12d51fd2a5451d62788c6db2d29fbe5b45466f01065158ed1eb8e534003984 2
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-index.html 07bcced4e0c4a4e7e712f9c63e43b404143d7c8f83f933514e2000440bd39272 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 3c03ea47a4feb6ebe0a47418b9d0909bdafffa50af328d4cc124600bd56eb6a5 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 4b050d5f129c4b5c776afe435ab2cf6a5070ffeb92b47c5aeb6c75bd393730cd 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 501463252dc049c0bb0a76c3299fd1ecee3770e48876b1200269c2edf6320a00 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html adb49d110d1c2e194370f4433ceb44f375c22ef746ca323ae5ea2dc8ddaaaaed 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html a19760d7ac2147fcc3076586d7c2734870d8e0a48ae9cf46133d499290693f9a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 3521d5021547e08792995c5c1eca4e493cbe9720fc805f03dde4b3f9de246d8f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 4f7d44d6c78e556f9460e44fd3e2998bad3d498bd179feddaecd484983d6e162 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 8bd4ca57d007718c8ddcae5d585d5b426c2cc1730a58d32a3820b473085f34c6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 62f50595b14e21c2a4b17bf491e899bbf9ce03ea0a00aa439fe09230f6226d18 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html d2b97ec5806bb4f1c137f87487cbe9ceaad149eb2da437f96e8901ff2de6fccb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 000cca3aaf4a87786c0d4a0f1c3335819f2be3050910c752d3cc2c13682fea0f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 1c3c0e8a015a4850444b24532e0ee001e8564f9a87ba03fc956b8ad6a49e760d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 4e260cc8be934c11809adbc2ae6ccf6ef97be34bccbc532d23d1f803e3a8ca77 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 219abe4d747b905754f972d8e28c856342279eacff340e6a6f9918e4c75773df 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 530df68abc85e3ead454a88c6f6e23e8216a108b0b69a1f8afefa934697ca097 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html e06d4900d9eae1c238b9fc65faf4a2de978c85fa40808ea0dcdbf2f71bc00e97 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 19e65c2a91cd787ab1ed9b6d11dbe20b36972dea7d072169a13dabfc0720494a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 1e3b3020c4ef621cc97b575de4156d2a38202767bb51e43fa0566ac03d60ed67 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html e803b65b10df55cc68397c7bc5571fe8e8ffc4c5ac016db87d9d50043bb60e48 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 7a3911c0e03a9927cb4d70e25e5d59418a66de69dce46c9fde96e7a9497b21da 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 8f8c60e686f626c53d25ffd6f3f0ee5d9e942acb793c836afca32eb9a32ec289 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 3e580a176856df491ae87cdd10121d4c8ee976c03ced08f4d388d6835414602e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 2fbbdb228d138b76bd9c0074dd5d227d885ae74cf4d1d8a461db1e8b97d9aacf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html dd3df9f888e47a9f0aec91d31d5556001f5856bc3618f40669a00dab5dd6383b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html d185b0efcd3d5e438b0a3c41e0995b16d12b3625792296f49c739dc499d9f36e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 9ecf945846bee37c7e7739f142668bbe155a26525b2bf69e0af72e475dc26720 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html bca7c8ba9472cdf860202914f9edc19d8327f24e067c5452eb742126de7ef631 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 4d10793c0647348b2e4dd8a5b51049fcdcbff58eb88e0b1dbcc1a1118c9daf21 2
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-index.html 67b559d6ecbdf14d036273de2b5788c6cbabe10c56b5570a9cb04e4595a44a86 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 7ef0d251f7c53fd490c9064e1a5a039548818ef6977d04293fa3626c8efd9f88 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 29d6749534b6e62284a58c26ecf8550b96e4e152a774c16862ecc0cfb5e55930 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 377d2e3f587d782e92e7a870309394f8e7a22ad3dcac0d4a79cf9057309cec15 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html b5056a6c833325f276c3fa216498cd45a4a46eb8b880b47bc74f6b4efe092796 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 54a8a319f9d36f0b75e108e657d7abb1578f958fa2aee6226209cc67f745870f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html a49b5784ceb582baeda3f7b1aa8716da77875cc6f47e5d3e373abecef6edcc0c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html b956b25dabd10fe31f4c306679804b662c9560ab542eb5acdd92c45aa45600dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html f4871e7f1a53bbca232452a9af6ae14c967a9b24f2f44fefa832905d6eebe75f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 252e97b843c34c22ad0fd1f2dabb26355d9ac5fb597f48a252762baaaa292a5b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 916dee528e25b8101565d41d4e94a481e481c0f23772826d9a9046c7b3877c30 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html c90f131184800d5623f987b99ea03b96cc2d383ac0585c5192ed5fa4db02ee35 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html fbf28fcce9f2ace83352f7f2b951ffba512ed96c36b1e038e4b66dfb0c1677ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 1a8b64121322080a70802f04500a68122ba043f9885521e1067c252d5bc5ed32 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 6ad2d48cce07a841dadc527e02cc99673e7b2c4fbc3f7200bda2f22be8e58f20 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 272af84c9b4066bd3de5b7053cbc55b43d051d09c3ccad5a2bc05981d348feb4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 76dc0f892e19f53ced9e98aaf2eb28ada6dcaddb11c89fccae234d88885e5fdd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 768919c82a96826ec3f29f3a64099cfb5c6f8b084fa2397305f1cae7c318415a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 353bb6b138af26149ae4922e2cb634daee7b45855247b2e40686674841a32882 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 998e70ec31878e4fd707f1089a0f535c2ed53fcafa61411bdf004048b686d10e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html b3509c67c32c5be50a0ba1244e62bd3a910343c7f9895434a8d3501eee870c8e 2
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-index.html 3d69528a195418fd80001ab14e1ca8b64430c7951f42b605bf3d72dd0d75c8e7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html b906da6f30b35361b0fe3ad10b025e8ed76929039a1a45c9f02a9fd3f6a3c363 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html e8f6d4736ab231aea740cc5c5454d51a8e9c894efc3fd0479f5b3166c44ab0a8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html aa5bd9d88e49499e896b8158cb3d634628e18bc8f4117a3cd26bc7895337d2e8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 67268d716242bb40a9c72818b3e12af8128e41b09d8192bdbd6463ea2b142b6d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 4b6d6deab2ec2093b6cb1f8ff8b1f41aad06db929db4defbf40257b876b217a3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html fe3ac45a5388256cf086be921880cf21bfbabc99360264b665650fc919cbea67 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html bf9ceaddb72496ba285c923ee764d22445e693c5d68e541409fe04f90f005792 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 3862171352576d473146209fc66936ff70032343a0a7d23807ea75dbe02f1d81 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 34d06fce59ae2365c63fbfdb8467c2b944ef99b4b3f22cf811a56a9d4a5791d6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html d4c0e660ed7fe263565040c9f54a4950f61c9521bd458c60dc09d6e749ba90c1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html f09efd40ac3d6a7157b7cfa37b34598fce0cf7d139c7a086424255669e8714c7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html eac963b6bf18b288b08799f31373640f39d82b68648b26c7ac351787be16c350 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 16243c5b939bae40c7a7d34f2b9c92c1f9c566d0c26cdee5b681913dc53346d6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2cf74357a2b4ca2c35adc87284154ec1c72707cb2c92ed5698a96140fe5ba078 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 9648537c232c2373027633495fbd21bae6031023be9af87a6bce5c95d10628a3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 164dd32aac301f762d9ed9904bc77f55dc9ce2e7bfa859752e9deb49402d0413 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 97c90f8fec20e20cd199bef24966ac0a89446fac0ada6709e026e1d7a16abea4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 033959111a7c05ede82bf0503f3dbf480ff9d97108e247d15bb15fd56c823865 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html c03caefc1a9340855c7866d30dfbfa5afa86880bb9acd41d1abe92da6de29f23 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 6a04082448935465669b4cb5c96c63e1fafff5ac4486780088e70632d2abb93b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html 448a9057bc2e74d672ef0dd32ab2722dbefd6a9a2bbc8228835132945956da1e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 7a901089048c9e777072cf1223af6ec22d0ad50a10ede7fe6ae0d2d59c0c0d36 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 3a932ddbd20d3734c572908d9208de737ccc4cbe3d78dbbed81fa44a06fc74ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 325fe1eaa23943c627c141b9dd8068155fa20afd19fa9a3b759d49a1a6817b88 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html cda1d26e0b2a13fe9d8aae357e9b77dde6b2bc64c0e966af6c1585c11a9539af 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 8bee735106c22852f4c134389d92354af68c38e0710531d66b99a83cffbd555b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 7c87efc727969c5caf64bda99f74ee6b2718bf99afeff8cc16dca943b69a1b22 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html cf029f5f18cc2f8e22799e7f4e6cfcb5b3e52ef3039b4c6b17af0a8bffc65700 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 446358284a0746612ec8ab03d0d186de7a11334b99c07a9811158e0b7ac272e2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 34282f5d554c9749d2e468c63ac3bfaaca40cc88b44ed90bdb78fcb28ac1055f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html d6e59c9e08ba1548cf9d86ccc7386a7ba76c35f6ed6395fb2d11478a4210576d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 36a9b9dd02ccb896b9aab9931339c239ff0b9b0fb80a9ab1f8022a26ffa3bafa 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 1815d43d6657b4824dd627d5ff24724ec93766a2beca333de507031567407cad 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 859e2d51f15bef30f86381a2408889998a17a385518775c36e6aed600647d96f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 4ab6827ed637626e6d1f07ef8a6eb6bcbc36b5879423a4d2bd874c724793eb78 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 37e6674d90c77825a4a780d377ad91029f11c32ba750be5c482261ee171fd032 2
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-index.html fa09f106dc8d3b1fc5349d8bb3a6fb2b910c1448e8ab1816ccf5f08179434171 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html dd3fe0f17739af118cdc913ca53fb32bba9805d5f0c4df428a10a68e892b904b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 0f5d8e1c40ce0e134bd47865d8aafa7011291c5f1d60cc245d3dfd1238f307dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html b8bece32b0478ee1ad117dba3db976224687beab83637a2716f24f270d389206 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 7dbb025a561b8d11d2bd639c0ba3761e5408d4cde7ec80d020d3ada92be356c1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 67cb3decffccbd73c9fc32485c24e19e16d6bade1ebb71a59c198cc28bdc53ce 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 0f53b8b533201cceb46baeb8960771db648c5900e8a01d12ef64f83a3f2ed1b8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 5f0f41d7ea45f69a649477dcd70fe7ca1be5683c8e2cb947c3c11cb5e27d8ef6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 868f077b2cd3471b44c95d5c6a989066fafb4f7a1dfbcf4b11fa6a4dad441e18 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html de8ed8c2320b1014f32a1f0d26048990d80e3b78ad3f7ce90b5b0fa5291c015d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html acf0a66f22388a5bc27ef91faf6f2a1f1a450ce413d8447afbad2d256cd1c384 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 0c82f1940241889dd3923e8e815e1ab722478304b16d98e48a778287a54388c6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 558a90a7749657403b85aa58f3915c0ae4bb820c9932504a3674ac467fdcab2d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html f3dbdc3899f0488903d5d2780961aed2a0a28a5359f8b56f385059bcd25f7972 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2d5c544fa7202285ea9416fe2196f36105c4f278a45977025ecc5d2b3f3079b5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html ba02dfd8212b2a64d68089837b818396dd9997f7f5f1dfcd43228f0cdbe30ebb 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 5367e2409189753091fb30d9c571279a2a5c3a7ff94b0909475d79c2016e30b0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html d5945efe7d31b86e179d90f69facf5e980c92231140d7dd2134017c59881de45 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 5022909cec7a8d07f421e0490cb078b89cbf6f3b16317fdf3def467b38c8c7b5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html b818697f139c732fd539f5bb11e90a4b5bd2acdc7497d1a231e3e44f891c1d08 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 5eb27efc0552b92f2f77dcabef1152a0d54b2d48c0010e9e3f3d391f7642863c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html bbdbacc15d6f5787533557338c0d490e1264b66ec65d3b8b782352686edb001c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 63bed57f867bb511caa443fdc6d686cbf8e4fab327f2bbd3f33e9af2701dba5c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 39eb3db2ca833f4a8a168560f4d89b28306646089e6850c8c2ff74432f231f2b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 43518c790b685eba6a5df619e559365174a062126ab05ebe17350e43b57d4ac2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 1f94419ce1eeecb277b9e5553f9b2325a71184b1961028578bb0f76bea324250 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html ca1654de6cf6cc123d3bae402cad0d3fd6585787dc0409e058dc85ef276ce41e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 41b79cf52c10b8e3be122e1f99113220e814df22fff21435718b2f0a585f7a9a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 37b23e68be65b9b5dae1fd25e8fae5a0470f92c41d7620851aa9486f3a734ca4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html e2c6b22f5264260316200bf917f22375499386f0c0cbe139ab216d3d02c782b2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html d4bd0838835f7caa56cf528a013cd9a0e04ca0ac5ad8bd3c43764cd860e37157 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html c8dfc67523ff4c32a70b7b112119340edb88a78f540660077ddee8053a121147 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html bececceae4209d70f5976ff8c875175e827475ab275f71d727ac40a45919bfd8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 455bcf12a26179aea08b04756ca2be6ef7e915491a003efa44f6af279d4612e8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 4a432903e37ad09fb2e4a86c8a4ce546167862eed15c1bc0c4a9b3e33675e956 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 1ad0c8573a6b4cec1cf608f410559f200bbcd850cdfcc51c1e5605f8b0dfae5c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 7edf75c8b010d4abf6df8309afd13525e6c6ff1a573f61ba9a4421344bc44491 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 649e40479bcfa5f0efbb480a5b83a79ac59400bed497f54abe04ba8999005e59 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 9ef7fcf1495b858754b4efaaaabd8dda83239dde42e8cf18e132c1d22fa02124 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 269e727279f3c6adddce62f671ae9087709a5f02335e4d14432ad3a028419f3a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html f8dbbe5816c5dfa55e39d992546280d14375fe3a153a4bc2133525dceb271294 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 64f4fd42b479a1dfbd8ffc6eae78ef1b654f4deddbff644ce2e0cd579b3e04af 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 13b0dc70ff0ecf2af5754f49677887c0d5e195201faf5f7a5c0ca8bb35b45eb1 2
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-index.html 0f7362068796586f984657740d7b17ff2939be9e618df3afded29d324feb9da6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 7423e329d720fb55a2553727691af2d2b23ec97bc2ca7f8fec9956edcf12630d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html dff00911eb1fa3be12cf80834cb5f4c80983e7ea9176e654553122e71382f3bd 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html c807d0212dcb76f788c7dc14358f3ca4e26d7033a4ab554eac5f2113c1eb3722 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 4a8e554a20d413c096f14f730261cad2da6ec97ebcd8e1527987936369d398dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html bcadd3b2f4b3aece107c0e981944770f20737d98e69b4a112488686fc4636e03 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html dcecf5a7763d955ed8ee6a2bd0b0cebd3c0102f0a9ea785e0f83350351e2ffc5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 1fe81116d8cdc4c0602fa2e5d695990ee789c5379bf62e5408e5713a5d2137d8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html a8e8a7ed7e8529f129c361d1cd7cc50d00e86fa713983f79ea02abfd104d0138 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 6f2ac7a0fc54eaae0cbe0e611c517c7f0719d0d40ed92d817e33eb3dcfba9d6b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 00012a995c94092c94d9102d7175ec84d4b674fe57565d1657849c8175613f91 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 44160533e1111ee624138ba2d3c7ccc0cd46d3f0e81f66bf42af4d86839f623e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2e7bfe5a5fa54a21e3ec3c1ac7924beba7d25715d01569e186388337dc231208 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 3933b63e28f8a7ac19f4dc01ad7f02b4b23b6f916b6310e2811245f94dc2718c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html c4808d0407785bfc4cc4b1ad0b41ece0003f09ac8cb8eac3f7e1c2ac168b9d79 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html cc532356110ec67330dcb2647f8907f96ec255be21c2d42263b7b2411b438459 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html e63d5bb3d147c8f11a2998513de979fd801fe2dcb6eafb56a2ed2fff350a7d7f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 119205ee2c9d6b8efe9af65f3d0f18eae43a983da37b14554882191f51e73180 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 995727584755ce258010fcebf0072d73ed4310b821aa0ac472be575123f98ad7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 785998a12407fb62417f2ec1b7f96d0e163c6a878c2db88a62794c72f4baabb2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 6209ba4faf647c4bc4a74917616822b490a0e02363949c73891528aeeb15fc87 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html d73eb8cc9adc52a06fc6c3e45211d2351502a6604c07ee70a27abf1d46d7306d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 6995c4c8442cc50dbe700306ba2fa4e4b3fed95b0464a4d637739ba5457a7242 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2a27a8355efe701ac80c243846027f44708bf9f108b91b9673e224c9a9d98e24 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 21ff9dc6c95b846c534f4ee671ca27b26598dfedc91062238feeba0063e95e9a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 27d96e23771f0ce40c6f4130534dba0980b6d4dbcffdc0bce0de6466d34ed752 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 3e20a9ef25b82e188cc0d602cfd45d15fbcd1d68c0bdd46e39ed662e397b9e70 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 77dd7fad0f6e02481a7b336dc6cfc1fbc1bd2dd3ca846b31cea65a7f46b5fbdb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 8fc7a6ffa6a8b3fc9f95c1cd3644aee5d7d377d3e20748f4273bc6c9f79e7f31 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html eb99da54567457aae78281b48a3ba5dae3b55c3d6ba467d1041602b6ebaf690b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html ce46c40970652ada141549839dcac4260e1a75ec1541c87473a11f125cc2264e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 141547c5f17f945e681f3c5ad14a238917f5f7833d79bb8c33e48ef0b42d0dbf 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 9ddcfe821dddc0d4804ca4be1886d54c4c389772db82c64fb7db873705ef3a34 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html b2e35bd5139e484996142202c83e9011abe07fdf974dc4ae1e3e83db4dcc876e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 171c031e3bc6e5b47cf8f201ca06713062c1b7169a418a3531fd495121010cf2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 8baff1f9a4ccddcd9ac5781a27a442d7f32730defcd0890d2fe6cae154a463c6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2b75a15ddfbbb0e75441506e9ec4d685b5a33f5fc6bd051d75cc4eb5f40c8b64 2
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-index.html 2e7a9b31e4eedfa38c2b9aa86ca8e59bc2d44092a30d44dfa0bbc96bb3ab2f1c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 595b84d85ecd9859fbee0a19a639ea6df658eae7978d1711b5c2ba0fabaffb74 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 828b9b70c0bc5688ccd3c2228f90d8c94679c92599f3ff73c43889a46ed6c866 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 84a11e53c27705091d326810eedb2e005b97461f52500de2e97577fe5fdba814 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 0a1138356a28e222a943a53beb78dbf5eae6e4aea1d14e3a9a0085d7fb9183b4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 1acdfdd2ffab9fd84cb0c99bdcccb029eec28b7f8f982886ef43765b9722f4e5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 6c1f97108f935da33aaf5c6d31e74c69fc8f513830dace0665eab86d250907e2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 4a9114078c729d79a8246fc9f56c4d4c63b9272c3ed7def9aa18c0d2b93176ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 34e3b6f55c79f1872deea5b13e485c5b0506eb311951a4a7ffaf6d3ea2bf5691 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html a31d21f1c378c3eb79b901957eb92d5b6fe498c19e78449e58d1841130a54722 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 597d14df5374a366e27bfc3f5091ca866a961d0dbadb9842a286fd4d01bd8a54 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 6f49f73ca7f0f27ccab7cae96d3438e1eaf5225ca56dddb5f24fb92ff6a769d2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 7544750cfa414dc578c0d1b2dfb2d92b33b9133fe867975f68ad62aa5ad5ef58 2
/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-index.html 1f1caa597602bc43b68568d19acb6d3166839d80dda2860345a2bd8574783b4f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 41e2ad6310fc34c2882d2d09b4669ef05300174a53d5e1a3b22ff514b4c560b9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 8c64646896e6fe69633987c4919bf35706b6460d2849aad094add3acbe3a94fa 2
/usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-index.html 0655548a71ebe9584ee7939dadcc6073d35f89e88aaf1881397ede3ec363d0c9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html abc09bcde1d7eb1e83a97765e7cec0ba0eabb4283f6d09894acc977a97ec2f7e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html bdfd439d93619d9a648938318e29609c705a9161e241ec4d5cfca2ee130b9409 2
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-index.html ae6d63019fd1688420ae4840f6a5ef6e64a26642ff75cf58223291b3662f478d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 656825af0ef27e07acb446f3dde782506c0f6fe2309870365da3d949e2eb740d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 14425f86df2b9ed094ac054924310d784a692bee4ea3c903434d8cba153dcd4c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html e4f373353d737e1dd22303d52b4d6c89131171c24def3b0b5a8d682372cfdac8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 3cb54cb85bd0d55f801a6f7051c32efc9a0dc444b67e3fabe6a1a6a41a678774 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html bb7f6a54a6968a8c98e06211af70deb00ab75dbf74e52eb693baac1cfdc6873c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 548ee583a6e3114dad0e6feed8932967c3a00ae07682d795caa57ee2913106fe 2
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-index.html 6fec47c13f341992bc83b2f134ff7b47b6821926572c75e56ddbca4293fecc9c 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html d65a786dda46761bab5e9283d9c181977d08a998a78a72976413fbe421341848 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html a37f3726fe6675029743181df51420c3559baec71e35c315c9b4959890aaed84 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 7570dfda32e7fee425743ba86b51490af2f0f52e07f737975cd98a30bfeffef9 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html ac43841a0ef924b5640fac11fa5dc0e319d4cf2058d08c3b34c76824ec8500a8 2
/usr/share/doc/scap-security-guide/tables 0
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 06cdcf228814d80ba295153a346e8c14926d3545e1cd600a72048a34f63087ae 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 4e788ae406c42230d8ad396eb361e5e3c3e993e213e194d73d8ec996a79ed813 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html a4e65b2ceac215d23669659d706661456ca7237774d7a64a1de6742bae8c4fde 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html bb29b56a8d523da6ab8214faa454dad30a38a48bd5f310404e7f3a07e2781e12 2
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-standard.html 800276dd30a8e6ec82ab051bb06db4e6c2099315d6133d2222460680fed37730 2
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-stig.html 0bf189d1a29b7ed62c3aa4e0406b71dc7ce4f05007a91fec7490fd638629fad4 2
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-stig_gui.html c7ee44c44bf7c6d034470e2e1f2a62ca36a32dcbd1a72f467495550f123243d7 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 098ec06021b5e3ae9af8e18f0c7d9e0b73b923d4d57c8da0f2f28932ef163d68 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 34ca78cf3495e201219a0bba6b22d25b25e5dfacd3d7b4387fc6e5b541bf939f 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html fd378c9495412432777cfbfeb362375a0e5f068ff4bb2a6e8beb236bbdc15f0a 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html c01ae53af9ae8bd48239ae5a715dbb0304eb9082aa557bce4de996ffe0e33c58 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html b79bc9885b9b11d575a81ec364126973b3d5914a05a33fff0952653f7a16d597 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 483567facf1c1ce9f5d030f711878bc992b3418612a907c6e324a37297c81b2b 2
/usr/share/doc/scap-security-guide/tables/table-ol7-stig-testinfo.html 9f87705207b99274f60b6b8fa82669083c27a532a0ce57fd32d687db095c4600 2
/usr/share/doc/scap-security-guide/tables/table-ol7-stig.html e2e11478bcf827baf6af103642c105780208e3e07ac4feace59d6a48f2ba0b44 2
/usr/share/doc/scap-security-guide/tables/table-ol7-stig_gui-testinfo.html e09354c2159971142bfec0efc0b8456e710a40b2a6ff1af0bc14c7c41c91f58d 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 5a5a39a1a332c87230bfaf8bb3de76232c4ff64b945cda01529ed3b936b5d828 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html cabc5d8478406f5c32503261113303a63745a593a35658b5b7d13cda1e1cb193 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 7b653b15f297888792dff9c8f16d77affbc9cc389160a3dd150072bef01a8712 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 9a90b2003b9d7c85e84792e01fa88d3a10b1bae384ea8e2771e211494220b4db 2
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-ospp.html 72d6eb136a7365ace8a9eb3d69b3ca645ff42ee9f639438aac2d818db83755cf 2
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-standard.html 26c647bb367bffe080e7366b4ae1eadf7e2ace82c208c0052542aaf9b56718dd 2
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-stig.html 9e0fe77d67ba50694eaf9e642c97a6bdce00953c3a1a79f8843176b95464d4ed 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 1956e23d18669bf7a1e17593fe9a0e8419462323bd164353301d71c87359ab99 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 5c54d56ff355713baea4e56c451d6b3fbaae3109cad497cd7e8245e39e7079a6 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html c13abb05c3fa7fa9130a4ccd6458ae7018cac172f7d2a89c31e3b437f20f4efc 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html eb2979e05802c5fffad081ca33aa82d079294c97228b0d64395ba91bfa6d15e1 2
/usr/share/doc/scap-security-guide/tables/table-ol8-stig-testinfo.html 07c6f0657c23ccae6d03e3a1b8a3d3384181ab162c160f46f55f3352e4b8f9f3 2
/usr/share/doc/scap-security-guide/tables/table-ol8-stig.html 7c224fe6ff310db156dfc66bdc6fa9a009fc408ad69349078ac0c5c2fbb4b0ef 2
/usr/share/doc/scap-security-guide/tables/table-rhcos4-cces.html e66f4fae5df030969cd6e40894e1f0efdd8cfa214f5f2ff60ca6ce5b95b032d8 2
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 6df88054d6822a2e4836c9f956ef480772dbc1b05b156fad9e71975dbd3e2f7c 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 1af1a57f94a7b91eea882468abe8b0c54e1112d9d8da665e5ccb5505bcfd6e13 2
/usr/share/doc/scap-security-guide/tables/table-rhcos4-ospp.html e2866ee446d2ffae38bd37f332c55cf748f02d755f464fe2c00354b4a79d79e9 2
/usr/share/doc/scap-security-guide/tables/table-rhcos4-srgmap-flat.html b548ba92262dfe58d45d3ea596da750c18a593736ec820026d42bf88a82b152c 2
/usr/share/doc/scap-security-guide/tables/table-rhcos4-srgmap.html 45cd86f340e869d4489f9208e2ac007c0190413a490947989ebe530c58d3d942 2
@@ -827,17 +827,17 @@
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_high.html 2d821fe8d597f3d3813d0216b7ea10bda63beb36332c7c7a41240ddc7deb0c83 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_intermediary.html ffe3d1d08f3e25f585f03cd6b68a277b125484692033a1afa733b8dbc034c9aa 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_minimal.html 6781823a43841d9efda111ae2670962750618e01aefc41fd2486002e8834ed9a 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 57759b872af945d8a2e6a259f94a382cec3033ce9a49566fd7a313abe3985284 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 5bd2c7e2753f689d64d1296f45193ca47152865733a10b289af56cce102fe0e5 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-cces.html be03501db9e37e168a6d46fb215fe088a9fa9db94e9e716d6538c9d453570000 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 82ed6f4272f9c664223406d926a21404c4f9ee1d06ed1486a3a4b5394d3e27ae 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html b03ac2d62d75f5303dd77bd3f28af060400caf29393632696c8edbcfeea98341 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html cb08ef793818060c68c511d630f4f9ee3d017f1b2ef15c4bcde5f3a3f8057418 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 97d87fc171adbece400ffb34ea8fadd933dbe1baffbbff8b1171e91a440b71db 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-C2S.html 250debe0c819b0859192e10d22ee3b31354a09e868c82094361824fd9130f5d3 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-ospp.html 9c228574bad22c6877b7bbee5cd9a70a2a3b948d82976fd43b593acc5c52a9d4 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-standard.html d023c4584b7503035ad7abef655c8752b44cd60e41e5ae8665101264bccef4d1 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-stig.html 214b45dbfdebf7f88283426313ec6eb0a3cac348397afbc44af7164dc7018b37 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 76458a6e5e06a282b4d3f662dc1a9b2bf894e9a73ba09821933db607f7190622 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2749aee4e19f0cad2c403b148e01f48e8d7976bed8ba7adc856ddb54548b03c6 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 780ecff892d558b7eea6cd9933e7bb8be32e5b87b7ab3acdaf186505de9f9730 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 7b6ef471cc2b70cda7ba0fbcb5e984c83f5637b870ba14aaac8d8458d0773474 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html dfdb4c91e108252593f74cef75cd4e57cc1a8a82fca07b1ec481c8ac9cb821a4 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html ff60386a8d63042136f8f1d56fffc74e6b929b6510ef08e2e155a4482ff00df8 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-srgmap-flat.html d40454a2eb031bc044ea6c308d2a9d83f79efb5e7b89cd2a90bf615518cc1949 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-srgmap.html 99f79fa277cb6ba18f549c41897d89c852f103efcb37d2c8665924019784ec8f 2
/usr/share/doc/scap-security-guide/tables/table-rhel7-stig-testinfo.html 588bd8a6d38fc9de5679e8cba47287bb8f02bc0e5f99729bc11d7cdb405bd11c 2
@@ -847,15 +847,15 @@
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_high.html dc4c26cc196d03436bcebec5c5ba11493ee19215b65806e4acc4d2edc89261aa 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_intermediary.html 92c97760df52652752b9f0c7860c09848c479c737eb2f06df9dd67dcb92fa910 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_minimal.html 77fd3ca1747ec1abf5603c7b75ed6ee5cc6d58280c703776377c63b4a9ddcb3e 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 3b9c5a2d5a51c2fe3815abd8cd78a43314906418289a1b9d2ab5599d9eea096f 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html db94d7601cd905181f93a120b84ef9fe69914d36e0c8f35c0b0bb4bd613ca4e5 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-cces.html 4f09798d02e8c6e57a0ac565bb5e22fca19c5766e7e92b49db82352132601c2a 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html f502796792bb29627c2df543bdfa1d024808e2ccd83d71934d7f06665c27c373 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 4cdb7e0c48a07cd15762cc4b261499abe5f2419dc690e9b91a85879774252ae7 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 45593c6395a8e2723d25644ab33719a8d4ecd6e61879e70e9bf4dd2ae524dbe8 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 651705f3b68ccd2b697a07a4ca04468dd0324adb30d78153153d6f3da1340084 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-ospp.html 686e426e850a59472bf64466c84236236be81329bd2d15a4782316fa4b9019dd 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-standard.html 9f92017a4487586244adf82d9a81d116d5cdf9b957cb241ece0df265367288c2 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-stig.html 43ec4fe8c91c7f95c400a98a13a008d9cf2081bd8b2d75cf3e6c95fcc304d07b 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html d892e27f975aa039f1315e21f9d4d2dac2cfec3b8247b13f92faaa4676d20189 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 7eb849e5e5b9ef070dc243add783e7faa28de7f2cf77670c2725f7edda12f8b1 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html fe823915650697a28d7fca0d39bbf101b88ec2b31a81a7ae866e609ccac4de67 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html d382f03fb8bfa35375bd4e8ea0d1f98f65849035ab7ebd9760a4588d7d522ac6 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-srgmap-flat.html 4fe164465808ca8ef5c26e944aa646cfb1714f013ee6abc6dd91ef856d43d00c 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-srgmap.html b1c4f43670c05e2c4012481e6d9878b1621a1df33123816786f4d9fa46633ea1 2
/usr/share/doc/scap-security-guide/tables/table-rhel8-stig-testinfo.html 56e1b77b0c5b7a1905ec607eb6da430afece818ba21c09bfbd59529aa53d4924 2
@@ -1145,93 +1145,93 @@
/usr/share/scap-security-guide/kickstart/ssg-rhel9-stig-ks.cfg 00ae1e816692e64c52346ccd758c4a766550c51f13e8b932f787d9b004f8162d 0
/usr/share/scap-security-guide/kickstart/ssg-rhel9-stig_gui-ks.cfg 55df2a89664132dfc450573d11b00e2391ee9373e7096512f3118f4070154113 0
/usr/share/scap-security-guide/tailoring 0
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml c7380c3924950b60d8bd0ec43dd5839448b3b0edfb47b6e3a53ab1868f91c605 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml dfb56e28373b4506f6e87c19cdc246754421c7e2fe1d2d5273619a7f857f3b70 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 88235253ca9bdd479e2cd3b222e3c7331cd2c9ddb44bca92ac0ddc5b0273f6cc 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml a5a512c087a525f05e3e47b1675ecf46c813e762da06ae5b4baeb072012ff452 0
/usr/share/xml/scap 0
/usr/share/xml/scap/ssg 0
/usr/share/xml/scap/ssg/content 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml c7bc0a5b0eaefa605bd12ccb3eb708e9c3b14c6896c21e55f495032c3ca16175 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 05d843607856796f3ea3474159131dd511b2f03f3d7e4d178d03ec8bff290842 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 66b927e30aeb909c49ca259661a95e264ffed8af1386478c4a803038af6ab5c1 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 64598467b43d5dc1bc1da28d174ff1bbd08c27547c4410ccfdd6cde7ce919894 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 8f971eacbb0db66d68104d3ce4ac739688d122b21cf9aae993f1514bab5a52e9 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 73bb520bf489bc5ca408d324adb6bdb8ed1b0958ae2909e5e0c10fd14812cfad 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml f4c2fdcc6806d2497c7478b530a6ce49caad200e962904f959b510d81eb60cb9 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 0a1b8a53ca39635bb21a1f9b8af91d324ab65a0e037aa3e8017335c470b2ee58 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 1eb2574676888fdd2ba65bd1f36cb8ac1cbf7ea239182357c2746944e26af938 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml c04aad93fdbd5a855403650878d8b826d11dbca54ce772f5dbfc8ba7b151a590 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 9724769e5c83ba0a1dd63a1b8e37d07bae21959d17026122df9f63186ffaa5a1 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml d6140db9ca47e898a24011388f70e1dde6afda0d7816c5d6a719f7a370f828a0 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml c5f569ef8da42b1f57d854a17a40151d7739f210936fa1c16afdb6b17bc898aa 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml d04bc006b0abe29553cea8bea36782f2a27b892dbae682f5f443cd83e1a4c7e6 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 9ed138861a433d14104ac48038307040c365f8dd80edce582c2ea655138e0eae 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 32a0ef83890bb046328889d2ed7aa76bec869c5a6904540a7539e74ae8960260 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 183b1c238c5fc07d3b743219a77adf3d176f5c261ff7a372c1a557f2634b016c 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 79162604a82f02fbb5bf3622e23c485c94ff9a9b33f3e57d4bd439c71e50ad70 0
/usr/share/xml/scap/ssg/content/ssg-fedora-cpe-dictionary.xml c8d5f0a2f8acf0028f9b74e68518b0738539bec86eda83407164f2ce3223dd58 0
/usr/share/xml/scap/ssg/content/ssg-fedora-cpe-oval.xml a55cc74e5430dedba5aebb2fbcccac38628329887d3438a0f480313349fce9a5 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 318ca6c6b03394bbc7e65aa639bc8a0d38dc4afbeb3f35c742a242b0808408dc 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 46e2f8e8d2141ef5f13dfcbb0b587069e823b1d7b5ed5313a28386a62f7c02a6 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml b66b3e2624a5ead5bfcf56a3b827f0278ddd42ebf511622375ea6166b11a0abb 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 230b312a6f7cf14c822d448e83d638746c0cc61b79501b1448a810e588855d73 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 1e9565d3767c75b04935da52b017d24feb62ce1287a75083b17add7c9e9edf87 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 8390220b2439aad32ede534b924bf64e57f1d6f2f634075d847e460c5517747c 0
/usr/share/xml/scap/ssg/content/ssg-fedora-oval.xml 9756e05259ba22fbe39c6308da5b196ed61d72d958615b4f7498d663704eb098 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 4f65f9dc27252a0aeb451886e1fcffe79b5e61a4793f1c222d6070a001e21a80 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml db47fb44c78090e9d35cae5d5819a55019d16c9d402c28fe4b3a0187a06b49dd 0
/usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml 5e7eed9a1a733623dbdc77f310ea4c5fb8b162b49368434bdfd956ba4a734fca 0
/usr/share/xml/scap/ssg/content/ssg-ol7-cpe-oval.xml 110031ae4468339493278d91398819999dce35f3d323d127602ada8c7eeddf39 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml c5f754be3ef2a050387ca17714f721c3fe9bc59877ade7c7c0ec7144d3c0c190 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 48741983cebbc454062c31c87ca883d0cf9e09d046aea55ed68f3caf1cf22f96 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml eaa1ba7e5c83b9be5e38d7c803d13c2e0a0b1dd4ec9b073ab830f7157d7ab56e 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2bc67366a788ca2b31fbf60949466830837c53d2a02e4fee428fb0cb5b2ee63c 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 016fbcdfa39d0719dca4cbf37a5e577b58ccb05e4c111bad74a2dfd60e93b2a8 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml b48e78ead0b4f98bbaf90c7eb3291e83c9de62ec92b83b84a96aee1aff4d4fcf 0
/usr/share/xml/scap/ssg/content/ssg-ol7-oval.xml c70d7c25f934f263c0ac3700c469dec1eeb06099afe66f8ac0f72e6bb7e51def 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml f932a5f4a5c9be223bf84ef074e866444e3c1752ca44edd37bffa068ac6abe44 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 8c0da81664269a650bb61e2b3b4463308cf1065c6e1d183155cd251ec4b22fae 0
/usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml 3124a453d0961ef1f92742b355968daa1bc3b7f18b9af07e9d548e0a82d60957 0
/usr/share/xml/scap/ssg/content/ssg-ol8-cpe-oval.xml 9272cba0ed87a6522b40ee8bdd72e97d14b0903f93a8057f4054df4afa5e2373 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml ae4847ecfd556aa603d48bc8680c27a6f6af76de058fd89a05ec2a9dfb945971 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml e912b6fb10630a03d1503c15fc55d2c6f26c34e12259f3a890139746208ad4b3 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 9448fc54d344f825556193ec9cafcace41370b8097bb9a5e0413c28413fa31b7 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml e048eafe9b51cd9aa1de26ca35cb26247cdb806ada90d7792c0dbd0d715ef9f2 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml e4002425a0df69e399ac0c1d6c9c981320f16e0ea9a0b780a45b47d0e9542aca 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml dbcfec30277dbfbfbca1af89a9b6c69b6aff010a6bc37a43680ef139968561f7 0
/usr/share/xml/scap/ssg/content/ssg-ol8-oval.xml a6fbc46fb0e959e298caa76786fe64b877ac65b8b28eb25b9906f2358b0334f3 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml a08f2435326d5d78189fb50ffb4fddb4477d5295cc9ebf869a34c72cdfd25459 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 766f5e73877ab8f4b04eacfffd10da92c05a83fdb9fa9bb5b1f976be46bd6f8f 0
/usr/share/xml/scap/ssg/content/ssg-rhcos4-cpe-dictionary.xml ce0e47b1662da5a097f0d1345ba2b60d417e3da6d9d280d2e2e96a612e6b8bef 0
/usr/share/xml/scap/ssg/content/ssg-rhcos4-cpe-oval.xml c08d1ec93793b1b903ff99c84a1c181a57b7cc734cf0063141f1d040276308c6 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 6c9adf0645ffd577a8b3a4e9b1d3a5e65206addc251fc5242eef42fc0caaee91 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml f8a7045c4def24ea185fa1d96bc306db07068d1920d49c1b06caf0a048b6678e 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml aec8c15b0e759a29cd135a12ddeb47d19c28a5c442d647b2c6bfd52b7c5d19ed 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 557990ddd80bf211c769e62bcbee63f7b050bf981382ef65174d895ef76419cb 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml b5d5516d0235f28577a84f0a2dd8f159dcd5ff8355052553a9f768f10aca6bed 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml f701f0f927355b0b96606816a3648783a907757076f7af84d45445f46ac380d1 0
/usr/share/xml/scap/ssg/content/ssg-rhcos4-oval.xml 6c67dc54351787b7e6da00f853da6f1f628a205fd9a602a81201a3c63ba2e4b4 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 0c87c9673c22adf18c093783d5d84a2c2856cb553944402c0aaf51d380af003a 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml fdf407a95b74f448fb41290607afe1d2a4edc5d659410be8656e1b15d5debd6a 0
/usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml 3de9bda65d07d283299b6d7d262333656a554c07a7ac4a20cbf07c07a864f1ac 0
/usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml b8bc15716584c443bd59ccd32dac7c654332c61d757245f22fa18f9440408348 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml a556720f70b18a3f5aabea0e9500fb634bbf07bcde7d8052550ef056308b5185 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2fb31cf625ab2ce15244758ff68e0d523d806bf33f6c28587c41193d948147e5 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 60493bd78e867b3972c45cabd40446a100c55cd60571f9489ee15d5b9dc70d32 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml dfcb71092ef1ad64283630b1d110f3d09340fc6089a3972eae5f1bcdc6c5d2f4 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 9e3aef235fd6b40818a23027adb29a2cebc50bd104c819786be45ca34348327b 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 4f39cd20faa7284c6865df5ee2fd98b63fe1d7953c016108889920f3774d0bf8 0
/usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml 3ab21e6e631fa0769ec0a750701e6aff521349841d877d99fc96dc8b69a735bd 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 044896edcde1cf5d583783971a51ba822e30432262d82c0feb37d75e35a62d7a 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 5b10129862ee597b66386a6b46800350390b1e0647b0cb08c3b5a10d1d87c4f6 0
/usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml 3040dd62c0cada63b4ff1349a08a764dfa0925abb5c94257933aae4e54f0772c 0
/usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-oval.xml 674b9770bcc4e2047c6f2fd016f1f75f67264f888a3ae94dc2ff9d5a85a91f8f 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2e6d733719e910953a74a2e626068dd35bf495fa263e4b9d04962682ff377f3b 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml c6e4feb8e9c71d0c950a062aab4916dcec48b3fecbb86dd67c8d65bfc2442b2a 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 20d7e3051121449e3aa8d8b248dbe1003987df66fa7fc20bda07fbb419c4eaf9 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 72b333ac27b111b067ceb035bea54a426d60aaaeaafeaa7466e6d9c726b993ae 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 998023a037f13d22bc0a0e7f47e15f25aa725544c7ff066286a75c8921ebb825 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml e6c3c6779b411dfcf993b840c191a24995a72e8b826f0cb48f9f6cc888e93ba2 0
/usr/share/xml/scap/ssg/content/ssg-rhel8-oval.xml 6a7d3e38420fbfd123f9082516845f2f29680506b99ab9cb0bb59666c63f0c06 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml c746b4eac0bef21cb8f2b0c3d37b0db62fab990344798611b50d8f29f011039c 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml ad5d5ade4542b6f383f37fc314088962d7a3849b9da48073c80ce17be12ce4e4 0
/usr/share/xml/scap/ssg/content/ssg-rhel9-cpe-dictionary.xml ccae6d9c84ab921c4944bc5aa1251caced39d210b048c7e73ccaf44241c67c10 0
/usr/share/xml/scap/ssg/content/ssg-rhel9-cpe-oval.xml d8648a52af92e2a5988455a32f69b0ffa40445ef843540967cb756f93462418e 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 1e2f821322c75d9f8e126cffddfc2978847cf89d81c1c3aa3d74c0acd219290f 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml bfc8662ccfdf9ce05163a5d8778b2ca7feef9741ef6445e31ebb6831c943368f 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml f767189d60fd9d54f9a842fdfacec97727e80263376661de96174e052d03ea22 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 85eca241ad94013da436e2528a6db21717e1a4f004b2d01d9b2b14825c596c23 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 4134e6648276ef4f3cd0277577b80e701d18ceaf0a3745af8d18d7b18100be41 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 655f0fce0f1ae8fdf1c08ac1689c09d8d6431ba5cb90d3f3ecc3c67d57ebde70 0
/usr/share/xml/scap/ssg/content/ssg-rhel9-oval.xml b20f0d226440a686364717ce8a12a619dc1459c5e0e3af45dc52af83d8addafa 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml bee6b6dca914b9dff5e3565c3f49ba813291caa7b37ba77d07d82262449645da 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 31539d4e9365b416b12e3a2542e4c84731ca44abac13861fa9a81559e6731936 0
/usr/share/xml/scap/ssg/content/ssg-rhosp10-cpe-dictionary.xml 8e187a0c323447d1b4e11acd6a69cb5cc60348abe026bf6330a20388c251d723 0
/usr/share/xml/scap/ssg/content/ssg-rhosp10-cpe-oval.xml 700e38b9f4e7696cc2729956b000063f2a1f0c9ebea123d483d65e72287d8c7d 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 31dd58f9242266ffe3d4599815ef2a27011040285a4cc84f530e770a2fd5086f 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 21c261d5bde4d586c3480492c02bde3c68a891448b240692444fea1bf6cfcbdb 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 02ff761f112b72e9ac3d8e6d3d0dae83e884573ece5f48c592378b75587db368 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 984b3cb9355edbb520008b2b1607c6085b377b2082221eb38340f33cb4558568 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 81dbf625f175534a5fdd5a51d2c8b2aa24688e74c16c0fb1a724ff0515098615 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 46fe17445ab3b5a18865c503cb61b8a02a41e701f52290600f98cedb54b82460 0
/usr/share/xml/scap/ssg/content/ssg-rhosp10-oval.xml d6efc77f0cc37e70b2dfd1d8d64fc12a89f22371250fce3918120156dcfee8c7 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml fd84ce6eca15735de91ae89caf7725e59ac0ad43220cabd7f1c1223c35e48eb6 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml 8848bafd1cddb2fcb46903eed17b7961105bc0c159111a64fdc0d506dc13abb1 0
/usr/share/xml/scap/ssg/content/ssg-rhosp13-cpe-dictionary.xml 1915595d83e83ee6737b1b84be0cde945d0f6d96d4d9aa8ffcc6d27a1daa55c7 0
/usr/share/xml/scap/ssg/content/ssg-rhosp13-cpe-oval.xml 15098a7075538c37e96c4dc838d38fe72fc27bf193b1633c3eb935b790123477 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 19e44b7ef70923bbf1f5e524afaa9835e9f56de41386f16de328a522a3e7ec6a 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml a6007cf51cf940ce2647f61ead9e73078004086f8de02bbf2a479cf6df80e6a8 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml 3ec019f36759dfe1e989d5261ba94fea94d2d86f1ae4f2abe138261a4e5a4108 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 8b82ea3f0565db682d4ea59c31f5ffe3637b15e057074159f5838b5b4f4b59f7 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml 55fbc5126fb3038362403107a88c3d44f5001804c3d269fa200b5532dbc2684b 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml a7d33de9ea9d90c3828451aafa137f9326d2b18755e40af52cf52ed5bfc0ab77 0
/usr/share/xml/scap/ssg/content/ssg-rhosp13-oval.xml 8f56d277bbe113c12261647e620cddc66d476999870574d39633753ed5f7b514 0
-/usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 8b76d235c74c6d7989593ec0c22b618240379821e2c1fad029feae254b928529 0
+/usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 07512a6b38696615460e4ac61d4abbb0d21ee2d37634968289e2aeb4115d500b 0
/usr/share/xml/scap/ssg/content/ssg-rhv4-cpe-dictionary.xml 74210b5efa58bbbdb9133dd82d36a7e4aa0d75869d34e0ac89ea1d01469970d3 0
/usr/share/xml/scap/ssg/content/ssg-rhv4-cpe-oval.xml 9bf46d8d34e75bfc5769b34a6c68db8f617401343b72c42a81255257e0bfd83a 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 94aca25143e01825d568812d4e4c1bebb9f44d923447bf6b9deb9032f2d1a4d5 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml f5f675bec8520b92b29ee487f1570876f1263aa6c954c31e778af94effc4b7a9 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml bdd89b179c63c29258c62c00f7a89f53e5a129faf3b6c892858ec7399b632e2f 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2ba43705a99d46c1dd7a7a36276bb81e0175ad4c650b5b6d0751037676bae552 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 277db4b551dcb4c29bb2bcbad70f42ff8d1ebd2e2a1c3773718423a552c5c3ec 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 731925f9fd3b88ff434ed404b5d3d062775df5c594fa83ea26415b5ea92fd2a7 0
/usr/share/xml/scap/ssg/content/ssg-rhv4-oval.xml 3fe591b84cfeb276e40d6ce4f5b28f91c4226009f27613c46e1b2c17d4b799a5 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 9bedf27fa271effb5d1fec66860a4e5e5b65df068dcf32e5c4a6a3e31d6af6bf 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 15e28ef4fdce5ee9c744e055feed6625ccc04dbe5f39a8cac4564d5b45605eef 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 10777dcd3a1c9968594508064445c08ba9f3c7451e9263dbdea18f0619efc439 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml bec4c3bcdb46fb17ee4f7e2c136676fb3965c19d371fc536c7c35c808db0bbe6 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 0de2b7cd3a593b13aba25be767e1132a323fa08e3c2cc6a1cc574a1a93f416c1 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml c8afaeba043a985a24f7cd7ec3d317782aeb30dca66881ae53f4cb44b1024fc6 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 80e4849eba1f403678533cb1a3385bddf6048a73f697d9caf845299d04a81800 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 131edeea2f38c524890924c7067960e91ea660b70aacb5ca89f92ff5cd2f7bf1 0
___QF_CHECKSUM___
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 47 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 28 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 49 groups and 122 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 29 groups and 57 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 61 groups and 161 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 61 groups and 175 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 57 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 27 groups and 43 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 105 groups and 271 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 94 groups and 203 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 89 groups and 199 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 103 groups and 269 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 64 groups and 200 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 48 groups and 97 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 52 groups and 135 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000
@@ -84,7 +84,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 71 groups and 147 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 64 groups and 200 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 49 groups and 120 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -86,7 +86,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 106 groups and 353 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
@@ -92,7 +92,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 104 groups and 352 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>OSPP - Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:35 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:35</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:34 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:34</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:33 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:33</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Fedora
<small>Group contains 63 groups and 208 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Fedora</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:35 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:35</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:34 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:34</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:33 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:33</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Fedora
<small>Group contains 47 groups and 120 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Fedora</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:35 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:35</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:34 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:34</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:33 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:33</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Fedora
<small>Group contains 39 groups and 77 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 61 groups and 161 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 61 groups and 174 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 57 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 27 groups and 38 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 47 groups and 101 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 51 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 46 groups and 93 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 54 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 51 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 48 groups and 98 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Security Profile of Oracle Linux 7 for SAP</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_sap</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 10 groups and 9 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 28 groups and 72 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 101 groups and 264 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 7
<small>Group contains 99 groups and 263 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 61 groups and 168 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 61 groups and 181 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 57 groups and 158 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 27 groups and 42 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 49 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 63 groups and 205 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 48 groups and 95 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 54 groups and 140 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 63 groups and 205 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 50 groups and 124 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 29 groups and 78 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - DISA STIG for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Oracle Linux 8
<small>Group contains 106 groups and 364 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 43 groups and 91 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 43 groups and 95 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 40 groups and 83 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 10 groups and 8 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 23 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-02-22 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 52 groups and 237 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-02-22 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_moderate</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 52 groups and 237 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_nerc-cip</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 52 groups and 237 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 50 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
<small>Group contains 54 groups and 160 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss_centric</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.">2.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.1">2.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.2">2.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.3">2.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.4">2.4</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.5">2.5</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-2.6">2.6</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.">3.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.1">3.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.2">3.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.3">3.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.4">3.4</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.5">3.5</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.6">3.6</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-3.7">3.7</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-4.">4.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-4.1">4.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-4.2">4.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-4.3">4.3</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-5.">5.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-5.1">5.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-5.2">5.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-5.3">5.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-5.4">5.4</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.">6.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.1">6.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.2">6.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.3">6.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.4">6.4</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.5">6.5</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.6">6.6</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-6.7">6.7</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-7.">7.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-7.1">7.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-7.2">7.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-7.3">7.3</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.">8.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.1">8.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.2">8.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.3">8.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.4">8.4</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.5">8.5</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.6">8.6</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.7">8.7</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-8.8">8.8</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.">10.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.1">10.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.2">10.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.3">10.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.4">10.4</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.5">10.5</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.6">10.6</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.7">10.7</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-10.8">10.8</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.">11.</a><ol><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.1">11.1</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.2">11.2</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.3">11.3</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.4">11.4</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.5">11.5</a></li><li><a href="#xccdf_org.ssgproject.content_group_pcidss-req-11.6">11.6</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_values">Values</a></li><li><a href="#xccdf_org.ssgproject.content_group_non-pci-dss">Non PCI-DSS</a></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_PCIDSS-RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_PCIDSS-RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7 (PCI-DSS centric)
<small>Group contains 337 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-2." data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_PCIDSS-RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_pcidss-req-2."><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-02-22 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>C2S for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 101 groups and 234 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 61 groups and 166 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 61 groups and 180 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 57 groups and 156 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 27 groups and 39 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 106 groups and 290 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 95 groups and 227 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 89 groups and 222 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 104 groups and 288 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 47 groups and 101 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 51 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 46 groups and 94 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 54 groups and 143 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2022-02-22 00:00:00.000000000 +0000
@@ -92,7 +92,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST National Checklist Program Security Guide</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ncp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 105 groups and 386 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>OSPP - Protection Profile for General Purpose Operating Systems v4.2.1</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 51 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 47 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>RHV hardening based on STIG for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhelh-stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 100 groups and 378 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2022-02-22 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhelh-vpp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 48 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 38 groups and 69 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 28 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 102 groups and 260 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
@@ -82,7 +82,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 100 groups and 259 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 61 groups and 170 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 61 groups and 184 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 57 groups and 160 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 27 groups and 43 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 105 groups and 280 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 94 groups and 212 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 89 groups and 208 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 103 groups and 278 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 48 groups and 102 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 64 groups and 216 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 48 groups and 97 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 54 groups and 137 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 71 groups and 150 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 64 groups and 216 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 49 groups and 122 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 39 groups and 70 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 29 groups and 57 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 106 groups and 366 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
@@ -82,7 +82,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
<small>Group contains 104 groups and 365 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 61 groups and 161 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 61 groups and 175 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 57 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 27 groups and 43 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 105 groups and 271 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 94 groups and 203 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 89 groups and 199 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 103 groups and 269 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 64 groups and 200 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 48 groups and 97 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 52 groups and 135 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 71 groups and 147 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 64 groups and 200 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 49 groups and 120 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 106 groups and 353 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
<small>Group contains 104 groups and 352 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat OpenStack Plaform 10</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:openstack:10 is applicable to this Benchmark">cpe:/a:redhat:openstack:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cinder">Cinder STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_horizon">Horizon STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_keystone">Keystone STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_neutron">Neutron STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_nova">Nova STIG Checklist</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-10-OSP"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-10-OSP"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat OpenStack Platform 10
<small>Group contains 6 groups and 36 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_openstack" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-10-OSP"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_openstack"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] STIG for Red Hat OpenStack Plaform 10</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:openstack:10 is applicable to this Benchmark">cpe:/a:redhat:openstack:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cinder">Cinder STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_horizon">Horizon STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_keystone">Keystone STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_neutron">Neutron STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_nova">Nova STIG Checklist</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-10-OSP"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-10-OSP"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat OpenStack Platform 10
<small>Group contains 6 groups and 36 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_openstack" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-10-OSP"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_openstack"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>RHOSP STIG</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:openstack:13 is applicable to this Benchmark">cpe:/a:redhat:openstack:13</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cinder">Cinder STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_horizon">Horizon STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_keystone">Keystone STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_neutron">Neutron STIG Checklist</a></li><li><a href="#xccdf_org.ssgproject.content_group_nova">Nova STIG Checklist</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-13-OSP"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-13-OSP"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat OpenStack Platform 13
<small>Group contains 6 groups and 35 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_openstack" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-13-OSP"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_openstack"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8::hypervisor is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8::hypervisor</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:enterprise_virtualization_manager:4 is applicable to this Benchmark">cpe:/a:redhat:enterprise_virtualization_manager:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHV-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Virtualization 4
<small>Group contains 45 groups and 115 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhvh-stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8::hypervisor is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8::hypervisor</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:enterprise_virtualization_manager:4 is applicable to this Benchmark">cpe:/a:redhat:enterprise_virtualization_manager:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHV-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Virtualization 4
<small>Group contains 101 groups and 374 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2022-02-22 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhvh-vpp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8::hypervisor is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8::hypervisor</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:enterprise_virtualization_manager:4 is applicable to this Benchmark">cpe:/a:redhat:enterprise_virtualization_manager:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHV-4"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Virtualization 4
<small>Group contains 49 groups and 143 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:scientificlinux:scientificlinux:7 is applicable to this Benchmark">cpe:/o:scientificlinux:scientificlinux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 47 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:scientificlinux:scientificlinux:7 is applicable to this Benchmark">cpe:/o:scientificlinux:scientificlinux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
<small>Group contains 28 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,6 +43,32 @@
</thead>
<tr>
<td>BP28(R1)</td>
+ <td>Remove telnet Clients</td>
+ <td xml:lang="en-US">
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ </td>
+ <td xml:lang="en-US">
+The <tt>telnet</tt> protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The <tt>ssh</tt> package provides an
+encrypted session and stronger security and is included in Oracle Linux 7.
+ </td>
+</tr>
+<tr>
+ <td>BP28(R1)</td>
+ <td>Uninstall talk-server Package</td>
+ <td xml:lang="en-US">
+The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo yum erase talk-server</pre>
+ </td>
+ <td xml:lang="en-US">
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the <tt>talk-server</tt> package decreases the
+risk of the accidental (or intentional) activation of talk services.
+ </td>
+</tr>
+<tr>
+ <td>BP28(R1)</td>
<td>Uninstall talk Package</td>
<td xml:lang="en-US">
The <tt>talk</tt> package contains the client program for the
@@ -61,46 +87,30 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Remove telnet Clients</td>
- <td xml:lang="en-US">
-The telnet client allows users to start connections to other systems via
-the telnet protocol.
- </td>
- <td xml:lang="en-US">
-The <tt>telnet</tt> protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The <tt>ssh</tt> package provides an
-encrypted session and stronger security and is included in Oracle Linux 7.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)</td>
- <td>Uninstall xinetd Package</td>
+ <td>Uninstall Sendmail Package</td>
<td xml:lang="en-US">
-The <code>xinetd</code> package can be removed with the following command:
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The <code>sendmail</code> package can be removed with the following command:
<pre>
-$ sudo yum erase xinetd</pre>
+$ sudo yum erase sendmail</pre>
</td>
<td xml:lang="en-US">
-Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
</td>
</tr>
<tr>
- <td>BP28(R1)</td>
- <td>Uninstall ypserv Package</td>
+ <td>BP28(R1)<br/>NT007(R03)</td>
+ <td>Uninstall the telnet server</td>
<td xml:lang="en-US">
-The <code>ypserv</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase ypserv</pre>
+The telnet daemon should be uninstalled.
</td>
<td xml:lang="en-US">
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the <tt>ypserv</tt> package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+<tt>telnet</tt> allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
</td>
</tr>
<tr>
@@ -121,38 +131,18 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall rsh Package</td>
- <td xml:lang="en-US">
-
-The <tt>rsh</tt> package contains the client commands
-
-for the rsh services
- </td>
- <td xml:lang="en-US">
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the <tt>rsh</tt> package removes
-
-the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)</td>
- <td>Uninstall Sendmail Package</td>
+ <td>Uninstall tftp-server Package</td>
<td xml:lang="en-US">
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The <code>sendmail</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase sendmail</pre>
+The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
</td>
<td xml:lang="en-US">
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+<br /><br />
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
</td>
</tr>
<tr>
@@ -174,59 +164,52 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Remove NIS Client</td>
- <td xml:lang="en-US">
-The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (<tt>ypbind</tt>) was used to bind a system to an NIS server
-and receive the distributed configuration files.
- </td>
- <td xml:lang="en-US">
-The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)<br/>NT007(R03)</td>
- <td>Uninstall the telnet server</td>
+ <td>Uninstall ypserv Package</td>
<td xml:lang="en-US">
-The telnet daemon should be uninstalled.
+The <code>ypserv</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase ypserv</pre>
</td>
<td xml:lang="en-US">
-<tt>telnet</tt> allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the <tt>ypserv</tt> package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall tftp-server Package</td>
+ <td>Uninstall rsh Package</td>
<td xml:lang="en-US">
-The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
+
+The <tt>rsh</tt> package contains the client commands
+
+for the rsh services
</td>
<td xml:lang="en-US">
-Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-<br /><br />
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,6 +43,29 @@
</thead>
<tr>
<td>3.1.1<br/>3.1.5</td>
+ <td>Prevent Login to Accounts With Empty Password</td>
+ <td xml:lang="en-US">
+If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+<tt>nullok</tt> in
+
+<tt>/etc/pam.d/system-auth</tt>
+
+to prevent logins with empty passwords.
+Note that this rule is not applicable for systems running within a
+container. Having user with empty password within a container is not
+considered a risk, because it should not be possible to directly login into
+a container anyway.
+ </td>
+ <td xml:lang="en-US">
+If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ </td>
+</tr>
+<tr>
+ <td>3.1.1<br/>3.1.5</td>
<td>Disable SSH Access via Empty Passwords</td>
<td xml:lang="en-US">
Disallow SSH login with empty passwords.
@@ -67,118 +90,20 @@
</td>
</tr>
<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Single User Mode</td>
- <td xml:lang="en-US">
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Verify Only Root Has UID 0</td>
- <td xml:lang="en-US">
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-<br />
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- </td>
- <td xml:lang="en-US">
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Restrict Serial Port Root Logins</td>
- <td xml:lang="en-US">
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
- </td>
- <td xml:lang="en-US">
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Emergency Systemd Target</td>
- <td xml:lang="en-US">
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Disable SSH Root Login</td>
- <td xml:lang="en-US">
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-<tt>/etc/ssh/sshd_config</tt>:
-
-<pre>PermitRootLogin no</pre>
- </td>
- <td xml:lang="en-US">
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Prevent Login to Accounts With Empty Password</td>
+ <td>3.1.1</td>
+ <td>Disable GDM Automatic Login</td>
<td xml:lang="en-US">
-If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-<tt>nullok</tt> in
-
-<tt>/etc/pam.d/system-auth</tt>
-
-to prevent logins with empty passwords.
-Note that this rule is not applicable for systems running within a
-container. Having user with empty password within a container is not
-considered a risk, because it should not be possible to directly login into
-a container anyway.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
</td>
<td xml:lang="en-US">
-If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
</td>
</tr>
<tr>
@@ -208,23 +133,6 @@
</td>
</tr>
<tr>
- <td>3.1.1</td>
- <td>Disable GDM Automatic Login</td>
- <td xml:lang="en-US">
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
- </td>
- <td xml:lang="en-US">
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
- </td>
-</tr>
-<tr>
<td>3.1.1<br/>3.1.5</td>
<td>Restrict Virtual Console Root Logins</td>
<td xml:lang="en-US">
@@ -242,6 +150,41 @@
</td>
</tr>
<tr>
+ <td>3.1.1<br/>3.4.5</td>
+ <td>Require Authentication for Emergency Systemd Target</td>
+ <td xml:lang="en-US">
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+ </td>
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -42,10 +42,40 @@
<td>Rationale</td>
</thead>
<tr>
+ <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+ <td>Record Attempts to Alter Time Through clock_settime</td>
+ <td xml:lang="en-US">
+If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+utility to read audit rules during daemon startup, add the following line to
+<tt>/etc/audit/audit.rules</tt> file:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+The -k option allows for the specification of a key in string form that can
+be used for better reporting capability through ausearch and aureport.
+Multiple system calls can be defined on the same line to save space if
+desired, but is not required. See an example of multiple combined syscalls:
+<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
+ </td>
+ <td xml:lang="en-US">
+Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ </td>
+</tr>
+<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Unsuccessul Ownership Changes to Files - chown</td>
+ <td>Record Unsuccessul Permission Changes to Files - fchmodat</td>
<td xml:lang="en-US">
-The audit system should collect unsuccessful file ownership change
+The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
@@ -54,59 +84,35 @@
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+<pre>-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+<pre>-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
</td>
<td xml:lang="en-US">
-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
+Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Attempts to Alter the localtime File</td>
- <td xml:lang="en-US">
-If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport and
-should always be used.
- </td>
- <td xml:lang="en-US">
-Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
- </td>
-</tr>
-<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
At a minimum, the audit system should collect file permission
changes for all users and root. If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
</td>
<td xml:lang="en-US">
The changing of file permissions could indicate that a user is attempting to
@@ -117,42 +123,18 @@
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Ensure auditd Collects Information on Exporting to Media (successful)</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect media exportation
-events for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
- </td>
- <td xml:lang="en-US">
-The unauthorized exportation of data to external media could result in an information leak
-where classified information, Privacy Act information, and intellectual property could be lost. An audit
-trail should be created each time a filesystem is mounted to help identify and guard against information
-loss.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Any Attempts to Run seunshare</td>
+ <td>Ensure auditd Collects Information on the Use of Privileged Commands - su</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+configured to use the <tt>augenrules</tt> program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+utility to read audit rules during daemon startup, add a line of the following
+form to <tt>/etc/audit/audit.rules</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
</td>
<td xml:lang="en-US">
Misuse of privileged functions, either intentionally or unintentionally by
@@ -168,6 +150,51 @@
</td>
</tr>
<tr>
+ <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+ <td>Record Attempts to Alter Logon and Logout Events - faillock</td>
+ <td xml:lang="en-US">
+The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/run/faillock -p wa -k logins</pre>
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/run/faillock -p wa -k logins</pre>
+ </td>
+ <td xml:lang="en-US">
+Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
+ </td>
+</tr>
+<tr>
+ <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
+ <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+ <td xml:lang="en-US">
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -57,21 +57,6 @@
</tr>
<tr>
<td>FAU_GEN.1</td>
- <td>Set hostname as computer node name in audit logs</td>
- <td xml:lang="en-US">
-To configure Audit daemon to use value returned by gethostname
-syscall as computer node name in the audit events,
-set <tt>name_format</tt> to <tt>hostname</tt>
-in <tt>/etc/audit/auditd.conf</tt>.
- </td>
- <td xml:lang="en-US">
-If option <tt>name_format</tt> is left at its default value of
-<tt>none</tt>, audit events from different computers may be hard
-to distinguish.
- </td>
-</tr>
-<tr>
- <td>FAU_GEN.1</td>
<td>Set number of records to cause an explicit flush to audit logs</td>
<td xml:lang="en-US">
To configure Audit daemon to issue an explicit flush to disk command
@@ -85,83 +70,82 @@
</td>
</tr>
<tr>
- <td>FAU_GEN.1.1.c</td>
- <td>Ensure cron Is Logging To Rsyslog</td>
+ <td>FAU_GEN.1</td>
+ <td>Set hostname as computer node name in audit logs</td>
<td xml:lang="en-US">
-Cron logging must be implemented to spot intrusions or trace
-cron job status. If <tt>cron</tt> is not logging to <tt>rsyslog</tt>, it
-can be implemented by adding the following to the <i>RULES</i> section of
-<tt>/etc/rsyslog.conf</tt>:
-<pre>cron.* /var/log/cron</pre>
+To configure Audit daemon to use value returned by gethostname
+syscall as computer node name in the audit events,
+set <tt>name_format</tt> to <tt>hostname</tt>
+in <tt>/etc/audit/auditd.conf</tt>.
</td>
<td xml:lang="en-US">
-Cron logging can be used to trace the successful or unsuccessful execution
-of cron jobs. It can also be used to spot intrusions into the use of the cron
-facility by unauthorized and malicious users.
+If option <tt>name_format</tt> is left at its default value of
+<tt>none</tt>, audit events from different computers may be hard
+to distinguish.
</td>
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
+ <td>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured
+The audit system should collect write events to /etc/group file for all group and root.
+If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+startup (the default), add the following lines to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
+utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify</pre>
</td>
<td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
-The audit system should collect write events to /etc/gshadow file for all users and root.
-If the <tt>auditd</tt> daemon is configured
+At a minimum, the audit system should collect file permission
+changes for all users and root. If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
+startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
+utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
</td>
<td xml:lang="en-US">
-Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.
+The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
</td>
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Any Attempts to Run seunshare</td>
+ <td>Ensure auditd Collects Information on the Use of Privileged Commands - su</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+configured to use the <tt>augenrules</tt> program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+utility to read audit rules during daemon startup, add a line of the following
+form to <tt>/etc/audit/audit.rules</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
</td>
<td xml:lang="en-US">
Misuse of privileged functions, either intentionally or unintentionally by
@@ -178,132 +162,64 @@
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
- </td>
- <td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- </td>
-</tr>
-<tr>
- <td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</td>
+ <td>Record Attempts to Alter Logon and Logout Events - faillock</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -59,6 +59,34 @@
</tr>
<tr>
<td>Req-6.2</td>
+ <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
+ <td xml:lang="en-US">
+The <tt>gpgcheck</tt> option controls whether
+RPM packages' signatures are always checked prior to installation.
+To configure yum to check package signatures before installing
+them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
+the <tt>[main]</tt> section:
+<pre>gpgcheck=1</pre>
+ </td>
+ <td xml:lang="en-US">
+Changes to any software components can have significant effects on the
+overall security of the operating system. This requirement ensures the
+software has not been tampered with and that it has been provided by a
+trusted vendor.
+<br />
+Accordingly, patches, service packs, device drivers, or operating system
+components must be signed with a certificate recognized and approved by the
+organization.
+<br />Verifying the authenticity of the software prior to installation
+validates the integrity of the patch or upgrade received from a vendor.
+This ensures the software has not been tampered with and that it has been
+provided by a trusted vendor. Self-signed certificates are disallowed by
+this requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA).
+ </td>
+</tr>
+<tr>
+ <td>Req-6.2</td>
<td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
<td xml:lang="en-US">
To ensure signature checking is not disabled for
@@ -76,30 +104,6 @@
</tr>
<tr>
<td>Req-6.2</td>
- <td>Ensure Oracle Linux GPG Key Installed</td>
- <td xml:lang="en-US">
-To ensure the system can cryptographically verify base software
-packages come from Oracle (and to connect to the Unbreakable Linux Network to
-receive them), the Oracle GPG key must properly be installed.
-To install the Oracle GPG key, run:
-<pre>$ sudo uln_register</pre>
-If the system is not connected to the Internet,
-then install the Oracle GPG key from trusted media such as
-the Oracle installation CD-ROM or DVD. Assuming the disc is mounted
-in <tt>/media/cdrom</tt>, use the following command as the root user to import
-it into the keyring:
-<pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>
- </td>
- <td xml:lang="en-US">
-Changes to software components can have significant effects on the
-overall security of the operating system. This requirement ensures
-the software has not been tampered with and that it has been provided
-by a trusted vendor. The Oracle GPG key is necessary to
-cryptographically verify packages are from Oracle.
- </td>
-</tr>
-<tr>
- <td>Req-6.2</td>
<td>Ensure Software Patches Installed</td>
<td xml:lang="en-US">
@@ -123,42 +127,38 @@
</tr>
<tr>
<td>Req-6.2</td>
- <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
+ <td>Ensure Oracle Linux GPG Key Installed</td>
<td xml:lang="en-US">
-The <tt>gpgcheck</tt> option controls whether
-RPM packages' signatures are always checked prior to installation.
-To configure yum to check package signatures before installing
-them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
-the <tt>[main]</tt> section:
-<pre>gpgcheck=1</pre>
+To ensure the system can cryptographically verify base software
+packages come from Oracle (and to connect to the Unbreakable Linux Network to
+receive them), the Oracle GPG key must properly be installed.
+To install the Oracle GPG key, run:
+<pre>$ sudo uln_register</pre>
+If the system is not connected to the Internet,
+then install the Oracle GPG key from trusted media such as
+the Oracle installation CD-ROM or DVD. Assuming the disc is mounted
+in <tt>/media/cdrom</tt>, use the following command as the root user to import
+it into the keyring:
+<pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>
</td>
<td xml:lang="en-US">
-Changes to any software components can have significant effects on the
-overall security of the operating system. This requirement ensures the
-software has not been tampered with and that it has been provided by a
-trusted vendor.
-<br />
-Accordingly, patches, service packs, device drivers, or operating system
-components must be signed with a certificate recognized and approved by the
-organization.
-<br />Verifying the authenticity of the software prior to installation
-validates the integrity of the patch or upgrade received from a vendor.
-This ensures the software has not been tampered with and that it has been
-provided by a trusted vendor. Self-signed certificates are disallowed by
-this requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA).
+Changes to software components can have significant effects on the
+overall security of the operating system. This requirement ensures
+the software has not been tampered with and that it has been provided
+by a trusted vendor. The Oracle GPG key is necessary to
+cryptographically verify packages are from Oracle.
</td>
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/grub2/grub.cfg</tt> should
+The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
be owned by the <tt>root</tt> user to prevent destruction
or modification of the file.
-To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
+To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
</td>
<td xml:lang="en-US">
Only root should be able to modify important boot parameters.
@@ -166,18 +166,17 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg User Ownership</td>
<td xml:lang="en-US">
The file <tt>/boot/grub2/grub.cfg</tt> should
-be group-owned by the <tt>root</tt> group to prevent
-destruction or modification of the file.
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
-To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
+To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
</td>
<td xml:lang="en-US">
-The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
</td>
</tr>
<tr>
@@ -198,17 +197,18 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
-To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
</td>
</tr>
<tr>
@@ -285,69 +285,101 @@
</tr>
<tr>
<td>Req-8.1.8</td>
- <td>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</td>
+ <td>Enable GNOME3 Screensaver Idle Activation</td>
<td xml:lang="en-US">
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
-to <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+To activate the screensaver in the GNOME3 desktop after a period of inactivity,
+add or set <tt>idle-activation-enabled</tt> to <tt>true</tt> in
+<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
+<pre>[org/gnome/desktop/screensaver]
+idle-activation-enabled=true</pre>
+Once the setting has been added, add a lock to
+<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,6 +43,32 @@
</thead>
<tr>
<td>BP28(R1)</td>
+ <td>Remove telnet Clients</td>
+ <td xml:lang="en-US">
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ </td>
+ <td xml:lang="en-US">
+The <tt>telnet</tt> protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The <tt>ssh</tt> package provides an
+encrypted session and stronger security and is included in Oracle Linux 8.
+ </td>
+</tr>
+<tr>
+ <td>BP28(R1)</td>
+ <td>Uninstall talk-server Package</td>
+ <td xml:lang="en-US">
+The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo yum erase talk-server</pre>
+ </td>
+ <td xml:lang="en-US">
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the <tt>talk-server</tt> package decreases the
+risk of the accidental (or intentional) activation of talk services.
+ </td>
+</tr>
+<tr>
+ <td>BP28(R1)</td>
<td>Uninstall talk Package</td>
<td xml:lang="en-US">
The <tt>talk</tt> package contains the client program for the
@@ -61,46 +87,30 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Remove telnet Clients</td>
- <td xml:lang="en-US">
-The telnet client allows users to start connections to other systems via
-the telnet protocol.
- </td>
- <td xml:lang="en-US">
-The <tt>telnet</tt> protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The <tt>ssh</tt> package provides an
-encrypted session and stronger security and is included in Oracle Linux 8.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)</td>
- <td>Uninstall xinetd Package</td>
+ <td>Uninstall Sendmail Package</td>
<td xml:lang="en-US">
-The <code>xinetd</code> package can be removed with the following command:
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The <code>sendmail</code> package can be removed with the following command:
<pre>
-$ sudo yum erase xinetd</pre>
+$ sudo yum erase sendmail</pre>
</td>
<td xml:lang="en-US">
-Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
</td>
</tr>
<tr>
- <td>BP28(R1)</td>
- <td>Uninstall ypserv Package</td>
+ <td>BP28(R1)<br/>NT007(R03)</td>
+ <td>Uninstall the telnet server</td>
<td xml:lang="en-US">
-The <code>ypserv</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase ypserv</pre>
+The telnet daemon should be uninstalled.
</td>
<td xml:lang="en-US">
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the <tt>ypserv</tt> package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+<tt>telnet</tt> allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
</td>
</tr>
<tr>
@@ -121,38 +131,18 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall rsh Package</td>
- <td xml:lang="en-US">
-
-The <tt>rsh</tt> package contains the client commands
-
-for the rsh services
- </td>
- <td xml:lang="en-US">
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the <tt>rsh</tt> package removes
-
-the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)</td>
- <td>Uninstall Sendmail Package</td>
+ <td>Uninstall tftp-server Package</td>
<td xml:lang="en-US">
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The <code>sendmail</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase sendmail</pre>
+The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
</td>
<td xml:lang="en-US">
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+<br /><br />
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
</td>
</tr>
<tr>
@@ -174,59 +164,52 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Remove NIS Client</td>
- <td xml:lang="en-US">
-The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (<tt>ypbind</tt>) was used to bind a system to an NIS server
-and receive the distributed configuration files.
- </td>
- <td xml:lang="en-US">
-The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)<br/>NT007(R03)</td>
- <td>Uninstall the telnet server</td>
+ <td>Uninstall ypserv Package</td>
<td xml:lang="en-US">
-The telnet daemon should be uninstalled.
+The <code>ypserv</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase ypserv</pre>
</td>
<td xml:lang="en-US">
-<tt>telnet</tt> allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the <tt>ypserv</tt> package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall tftp-server Package</td>
+ <td>Uninstall rsh Package</td>
<td xml:lang="en-US">
-The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
+
+The <tt>rsh</tt> package contains the client commands
+
+for the rsh services
</td>
<td xml:lang="en-US">
-Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-<br /><br />
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,6 +43,29 @@
</thead>
<tr>
<td>3.1.1<br/>3.1.5</td>
+ <td>Prevent Login to Accounts With Empty Password</td>
+ <td xml:lang="en-US">
+If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+<tt>nullok</tt> in
+
+<tt>/etc/pam.d/system-auth</tt>
+
+to prevent logins with empty passwords.
+Note that this rule is not applicable for systems running within a
+container. Having user with empty password within a container is not
+considered a risk, because it should not be possible to directly login into
+a container anyway.
+ </td>
+ <td xml:lang="en-US">
+If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ </td>
+</tr>
+<tr>
+ <td>3.1.1<br/>3.1.5</td>
<td>Disable SSH Access via Empty Passwords</td>
<td xml:lang="en-US">
Disallow SSH login with empty passwords.
@@ -67,118 +90,20 @@
</td>
</tr>
<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Single User Mode</td>
- <td xml:lang="en-US">
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Verify Only Root Has UID 0</td>
- <td xml:lang="en-US">
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-<br />
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- </td>
- <td xml:lang="en-US">
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Restrict Serial Port Root Logins</td>
- <td xml:lang="en-US">
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
- </td>
- <td xml:lang="en-US">
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Emergency Systemd Target</td>
- <td xml:lang="en-US">
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Disable SSH Root Login</td>
- <td xml:lang="en-US">
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-<tt>/etc/ssh/sshd_config</tt>:
-
-<pre>PermitRootLogin no</pre>
- </td>
- <td xml:lang="en-US">
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Prevent Login to Accounts With Empty Password</td>
+ <td>3.1.1</td>
+ <td>Disable GDM Automatic Login</td>
<td xml:lang="en-US">
-If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-<tt>nullok</tt> in
-
-<tt>/etc/pam.d/system-auth</tt>
-
-to prevent logins with empty passwords.
-Note that this rule is not applicable for systems running within a
-container. Having user with empty password within a container is not
-considered a risk, because it should not be possible to directly login into
-a container anyway.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
</td>
<td xml:lang="en-US">
-If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
</td>
</tr>
<tr>
@@ -208,23 +133,6 @@
</td>
</tr>
<tr>
- <td>3.1.1</td>
- <td>Disable GDM Automatic Login</td>
- <td xml:lang="en-US">
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
- </td>
- <td xml:lang="en-US">
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
- </td>
-</tr>
-<tr>
<td>3.1.1<br/>3.1.5</td>
<td>Restrict Virtual Console Root Logins</td>
<td xml:lang="en-US">
@@ -242,6 +150,41 @@
</td>
</tr>
<tr>
+ <td>3.1.1<br/>3.4.5</td>
+ <td>Require Authentication for Emergency Systemd Target</td>
+ <td xml:lang="en-US">
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+ </td>
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -42,45 +42,27 @@
<td>Rationale</td>
</thead>
<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Unsuccessul Ownership Changes to Files - chown</td>
- <td xml:lang="en-US">
-The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
- </td>
- <td xml:lang="en-US">
-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- </td>
-</tr>
-<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Attempts to Alter the localtime File</td>
+ <td>Record Attempts to Alter Time Through clock_settime</td>
<td xml:lang="en-US">
If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport and
-should always be used.
+be used for better reporting capability through ausearch and aureport.
+Multiple system calls can be defined on the same line to save space if
+desired, but is not required. See an example of multiple combined syscalls:
+<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
</td>
<td xml:lang="en-US">
Arbitrary changes to the system time can be used to obfuscate
@@ -91,136 +73,46 @@
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
- </td>
- <td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Ensure auditd Collects Information on Exporting to Media (successful)</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect media exportation
-events for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
- </td>
- <td xml:lang="en-US">
-The unauthorized exportation of data to external media could result in an information leak
-where classified information, Privacy Act information, and intellectual property could be lost. An audit
-trail should be created each time a filesystem is mounted to help identify and guard against information
-loss.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Any Attempts to Run seunshare</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
- </td>
- <td xml:lang="en-US">
-Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<br /><br />
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</td>
+ <td>Record Unsuccessul Permission Changes to Files - fchmodat</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
+The audit system should collect unsuccessful file permission change
+attempts for all users and root.
If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
+startup (the default), add the following lines to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file.
+<pre>-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+If the system is 64 bit then also add the following lines:
+<pre>-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
</td>
<td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
-If the <tt>auditd</tt> daemon is configured
+changes for all users and root. If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -59,6 +59,34 @@
</tr>
<tr>
<td>Req-6.2</td>
+ <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
+ <td xml:lang="en-US">
+The <tt>gpgcheck</tt> option controls whether
+RPM packages' signatures are always checked prior to installation.
+To configure yum to check package signatures before installing
+them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
+the <tt>[main]</tt> section:
+<pre>gpgcheck=1</pre>
+ </td>
+ <td xml:lang="en-US">
+Changes to any software components can have significant effects on the
+overall security of the operating system. This requirement ensures the
+software has not been tampered with and that it has been provided by a
+trusted vendor.
+<br />
+Accordingly, patches, service packs, device drivers, or operating system
+components must be signed with a certificate recognized and approved by the
+organization.
+<br />Verifying the authenticity of the software prior to installation
+validates the integrity of the patch or upgrade received from a vendor.
+This ensures the software has not been tampered with and that it has been
+provided by a trusted vendor. Self-signed certificates are disallowed by
+this requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA).
+ </td>
+</tr>
+<tr>
+ <td>Req-6.2</td>
<td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
<td xml:lang="en-US">
To ensure signature checking is not disabled for
@@ -76,30 +104,6 @@
</tr>
<tr>
<td>Req-6.2</td>
- <td>Ensure Oracle Linux GPG Key Installed</td>
- <td xml:lang="en-US">
-To ensure the system can cryptographically verify base software
-packages come from Oracle (and to connect to the Unbreakable Linux Network to
-receive them), the Oracle GPG key must properly be installed.
-To install the Oracle GPG key, run:
-<pre>$ sudo uln_register</pre>
-If the system is not connected to the Internet,
-then install the Oracle GPG key from trusted media such as
-the Oracle installation CD-ROM or DVD. Assuming the disc is mounted
-in <tt>/media/cdrom</tt>, use the following command as the root user to import
-it into the keyring:
-<pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>
- </td>
- <td xml:lang="en-US">
-Changes to software components can have significant effects on the
-overall security of the operating system. This requirement ensures
-the software has not been tampered with and that it has been provided
-by a trusted vendor. The Oracle GPG key is necessary to
-cryptographically verify packages are from Oracle.
- </td>
-</tr>
-<tr>
- <td>Req-6.2</td>
<td>Ensure Software Patches Installed</td>
<td xml:lang="en-US">
@@ -123,42 +127,38 @@
</tr>
<tr>
<td>Req-6.2</td>
- <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
+ <td>Ensure Oracle Linux GPG Key Installed</td>
<td xml:lang="en-US">
-The <tt>gpgcheck</tt> option controls whether
-RPM packages' signatures are always checked prior to installation.
-To configure yum to check package signatures before installing
-them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
-the <tt>[main]</tt> section:
-<pre>gpgcheck=1</pre>
+To ensure the system can cryptographically verify base software
+packages come from Oracle (and to connect to the Unbreakable Linux Network to
+receive them), the Oracle GPG key must properly be installed.
+To install the Oracle GPG key, run:
+<pre>$ sudo uln_register</pre>
+If the system is not connected to the Internet,
+then install the Oracle GPG key from trusted media such as
+the Oracle installation CD-ROM or DVD. Assuming the disc is mounted
+in <tt>/media/cdrom</tt>, use the following command as the root user to import
+it into the keyring:
+<pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>
</td>
<td xml:lang="en-US">
-Changes to any software components can have significant effects on the
-overall security of the operating system. This requirement ensures the
-software has not been tampered with and that it has been provided by a
-trusted vendor.
-<br />
-Accordingly, patches, service packs, device drivers, or operating system
-components must be signed with a certificate recognized and approved by the
-organization.
-<br />Verifying the authenticity of the software prior to installation
-validates the integrity of the patch or upgrade received from a vendor.
-This ensures the software has not been tampered with and that it has been
-provided by a trusted vendor. Self-signed certificates are disallowed by
-this requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA).
+Changes to software components can have significant effects on the
+overall security of the operating system. This requirement ensures
+the software has not been tampered with and that it has been provided
+by a trusted vendor. The Oracle GPG key is necessary to
+cryptographically verify packages are from Oracle.
</td>
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/grub2/grub.cfg</tt> should
+The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
be owned by the <tt>root</tt> user to prevent destruction
or modification of the file.
-To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
+To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
</td>
<td xml:lang="en-US">
Only root should be able to modify important boot parameters.
@@ -166,18 +166,17 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg User Ownership</td>
<td xml:lang="en-US">
The file <tt>/boot/grub2/grub.cfg</tt> should
-be group-owned by the <tt>root</tt> group to prevent
-destruction or modification of the file.
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
-To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
+To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
</td>
<td xml:lang="en-US">
-The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
</td>
</tr>
<tr>
@@ -198,17 +197,18 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
-To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
</td>
</tr>
<tr>
@@ -285,69 +285,101 @@
</tr>
<tr>
<td>Req-8.1.8</td>
- <td>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</td>
+ <td>Enable GNOME3 Screensaver Idle Activation</td>
<td xml:lang="en-US">
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
-to <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+To activate the screensaver in the GNOME3 desktop after a period of inactivity,
+add or set <tt>idle-activation-enabled</tt> to <tt>true</tt> in
+<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
+<pre>[org/gnome/desktop/screensaver]
+idle-activation-enabled=true</pre>
+Once the setting has been added, add a lock to
+<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -42,45 +42,27 @@
<td>Rationale</td>
</thead>
<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Unsuccessul Ownership Changes to Files - chown</td>
- <td xml:lang="en-US">
-The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
- </td>
- <td xml:lang="en-US">
-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- </td>
-</tr>
-<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Attempts to Alter the localtime File</td>
+ <td>Record Attempts to Alter Time Through clock_settime</td>
<td xml:lang="en-US">
If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport and
-should always be used.
+be used for better reporting capability through ausearch and aureport.
+Multiple system calls can be defined on the same line to save space if
+desired, but is not required. See an example of multiple combined syscalls:
+<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
</td>
<td xml:lang="en-US">
Arbitrary changes to the system time can be used to obfuscate
@@ -91,136 +73,46 @@
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
- </td>
- <td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Ensure auditd Collects Information on Exporting to Media (successful)</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect media exportation
-events for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
- </td>
- <td xml:lang="en-US">
-The unauthorized exportation of data to external media could result in an information leak
-where classified information, Privacy Act information, and intellectual property could be lost. An audit
-trail should be created each time a filesystem is mounted to help identify and guard against information
-loss.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Any Attempts to Run seunshare</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
- </td>
- <td xml:lang="en-US">
-Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<br /><br />
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</td>
+ <td>Record Unsuccessul Permission Changes to Files - fchmodat</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
+The audit system should collect unsuccessful file permission change
+attempts for all users and root.
If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
+startup (the default), add the following lines to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file.
+<pre>-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+If the system is 64 bit then also add the following lines:
+<pre>-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
</td>
<td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
-If the <tt>auditd</tt> daemon is configured
+changes for all users and root. If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,24 +43,6 @@
</thead>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall talk Package</td>
- <td xml:lang="en-US">
-The <tt>talk</tt> package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The <code>talk</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase talk</pre>
- </td>
- <td xml:lang="en-US">
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the <tt>talk</tt> package decreases the
-risk of the accidental (or intentional) activation of talk client program.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)</td>
<td>Remove telnet Clients</td>
<td xml:lang="en-US">
The telnet client allows users to start connections to other systems via
@@ -75,99 +57,107 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall xinetd Package</td>
+ <td>Remove tftp Daemon</td>
<td xml:lang="en-US">
-The <code>xinetd</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase xinetd</pre>
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
</td>
<td xml:lang="en-US">
-Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall ypserv Package</td>
+ <td>Uninstall talk-server Package</td>
<td xml:lang="en-US">
-The <code>ypserv</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase ypserv</pre>
+The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo yum erase talk-server</pre>
</td>
<td xml:lang="en-US">
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the <tt>ypserv</tt> package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the <tt>talk-server</tt> package decreases the
+risk of the accidental (or intentional) activation of talk services.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall DHCP Server Package</td>
+ <td>Uninstall talk Package</td>
<td xml:lang="en-US">
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The <code>dhcp</code> package can be removed with the following command:
+The <tt>talk</tt> package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The <code>talk</code> package can be removed with the following command:
<pre>
-$ sudo yum erase dhcp</pre>
+$ sudo yum erase talk</pre>
</td>
<td xml:lang="en-US">
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the <tt>talk</tt> package decreases the
+risk of the accidental (or intentional) activation of talk client program.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall rsh Package</td>
+ <td>Uninstall Sendmail Package</td>
<td xml:lang="en-US">
-
-The <tt>rsh</tt> package contains the client commands
-
-for the rsh services
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The <code>sendmail</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase sendmail</pre>
</td>
<td xml:lang="en-US">
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the <tt>rsh</tt> package removes
-
-the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>.
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
</td>
</tr>
<tr>
- <td>BP28(R1)</td>
- <td>Remove tftp Daemon</td>
+ <td>BP28(R1)<br/>NT007(R03)</td>
+ <td>Uninstall the telnet server</td>
<td xml:lang="en-US">
-Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
+The telnet daemon should be uninstalled.
</td>
<td xml:lang="en-US">
-It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+<tt>telnet</tt> allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall Sendmail Package</td>
+ <td>Uninstall DHCP Server Package</td>
<td xml:lang="en-US">
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The <code>sendmail</code> package can be removed with the following command:
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The <code>dhcp</code> package can be removed with the following command:
<pre>
-$ sudo yum erase sendmail</pre>
+$ sudo yum erase dhcp</pre>
</td>
<td xml:lang="en-US">
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ </td>
+</tr>
+<tr>
+ <td>BP28(R1)</td>
+ <td>Uninstall tftp-server Package</td>
+ <td xml:lang="en-US">
+The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
+ </td>
+ <td xml:lang="en-US">
+Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+<br /><br />
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
</td>
</tr>
<tr>
@@ -189,59 +179,52 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Remove NIS Client</td>
- <td xml:lang="en-US">
-The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (<tt>ypbind</tt>) was used to bind a system to an NIS server
-and receive the distributed configuration files.
- </td>
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -553,23 +553,6 @@
</tr>
<tr>
<td>1.2.3</td>
- <td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
- <td xml:lang="en-US">
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form:
-<pre>gpgcheck=0</pre>
- </td>
- <td xml:lang="en-US">
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- </td>
-</tr>
-<tr>
- <td>1.2.3</td>
<td>Ensure gpgcheck Enabled In Main yum Configuration</td>
<td xml:lang="en-US">
The <tt>gpgcheck</tt> option controls whether
@@ -598,6 +581,23 @@
</tr>
<tr>
<td>1.2.3</td>
+ <td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
+ <td xml:lang="en-US">
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form:
+<pre>gpgcheck=0</pre>
+ </td>
+ <td xml:lang="en-US">
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ </td>
+</tr>
+<tr>
+ <td>1.2.3</td>
<td>Ensure Red Hat GPG Key Installed</td>
<td xml:lang="en-US">
To ensure the system can cryptographically verify base software packages
@@ -709,7 +709,7 @@
</tr>
<tr>
<td>1.4.1</td>
- <td>Set the UEFI Boot Loader Password</td>
+ <td>Set Boot Loader Password in grub2</td>
<td xml:lang="en-US">
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -731,7 +731,7 @@
</tr>
<tr>
<td>1.4.1</td>
- <td>Set Boot Loader Password in grub2</td>
+ <td>Set the UEFI Boot Loader Password</td>
<td xml:lang="en-US">
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -753,17 +753,16 @@
</tr>
<tr>
<td>1.4.2</td>
- <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg Permissions</td>
<td xml:lang="en-US">
-The file <tt>/boot/grub2/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+File permissions for <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should be set to 700.
-To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
+To properly set the permissions of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+Proper permissions ensure that only the root user can modify important boot
+parameters.
</td>
</tr>
<tr>
@@ -782,18 +781,32 @@
</tr>
<tr>
<td>1.4.2</td>
- <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td xml:lang="en-US">
+The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
+
+To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+ </td>
+ <td xml:lang="en-US">
+Only root should be able to modify important boot parameters.
+ </td>
+</tr>
+<tr>
+ <td>1.4.2</td>
+ <td>Verify /boot/grub2/grub.cfg User Ownership</td>
<td xml:lang="en-US">
The file <tt>/boot/grub2/grub.cfg</tt> should
-be group-owned by the <tt>root</tt> group to prevent
-destruction or modification of the file.
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
-To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
+To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
</td>
<td xml:lang="en-US">
-The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
</td>
</tr>
<tr>
@@ -814,31 +827,35 @@
</tr>
<tr>
<td>1.4.2</td>
- <td>Verify the UEFI Boot Loader grub.cfg Permissions</td>
+ <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
<td xml:lang="en-US">
-File permissions for <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should be set to 700.
+The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
-To properly set the permissions of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg</pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Proper permissions ensure that only the root user can modify important boot
-parameters.
+The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
</td>
</tr>
<tr>
- <td>1.4.2</td>
- <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td>1.4.3</td>
+ <td>Require Authentication for Emergency Systemd Target</td>
<td xml:lang="en-US">
-The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
-
-To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
</td>
</tr>
<tr>
@@ -860,20 +877,21 @@
</td>
</tr>
<tr>
- <td>1.4.3</td>
- <td>Require Authentication for Emergency Systemd Target</td>
+ <td>1.5.1</td>
+ <td>Disable storing core dump</td>
<td xml:lang="en-US">
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+The <tt>Storage</tt> option in <tt>[Coredump]</tt> section
+of <tt>/etc/systemd/coredump.conf</tt>
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,6 +43,29 @@
</thead>
<tr>
<td>3.1.1<br/>3.1.5</td>
+ <td>Prevent Login to Accounts With Empty Password</td>
+ <td xml:lang="en-US">
+If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+<tt>nullok</tt> in
+
+<tt>/etc/pam.d/system-auth</tt>
+
+to prevent logins with empty passwords.
+Note that this rule is not applicable for systems running within a
+container. Having user with empty password within a container is not
+considered a risk, because it should not be possible to directly login into
+a container anyway.
+ </td>
+ <td xml:lang="en-US">
+If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ </td>
+</tr>
+<tr>
+ <td>3.1.1<br/>3.1.5</td>
<td>Disable SSH Access via Empty Passwords</td>
<td xml:lang="en-US">
Disallow SSH login with empty passwords.
@@ -67,118 +90,20 @@
</td>
</tr>
<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Single User Mode</td>
- <td xml:lang="en-US">
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Verify Only Root Has UID 0</td>
- <td xml:lang="en-US">
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-<br />
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- </td>
- <td xml:lang="en-US">
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Restrict Serial Port Root Logins</td>
- <td xml:lang="en-US">
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
- </td>
- <td xml:lang="en-US">
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Emergency Systemd Target</td>
- <td xml:lang="en-US">
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Disable SSH Root Login</td>
- <td xml:lang="en-US">
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-<tt>/etc/ssh/sshd_config</tt>:
-
-<pre>PermitRootLogin no</pre>
- </td>
- <td xml:lang="en-US">
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Prevent Login to Accounts With Empty Password</td>
+ <td>3.1.1</td>
+ <td>Disable GDM Automatic Login</td>
<td xml:lang="en-US">
-If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-<tt>nullok</tt> in
-
-<tt>/etc/pam.d/system-auth</tt>
-
-to prevent logins with empty passwords.
-Note that this rule is not applicable for systems running within a
-container. Having user with empty password within a container is not
-considered a risk, because it should not be possible to directly login into
-a container anyway.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
</td>
<td xml:lang="en-US">
-If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
</td>
</tr>
<tr>
@@ -208,23 +133,6 @@
</td>
</tr>
<tr>
- <td>3.1.1</td>
- <td>Disable GDM Automatic Login</td>
- <td xml:lang="en-US">
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
- </td>
- <td xml:lang="en-US">
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
- </td>
-</tr>
-<tr>
<td>3.1.1<br/>3.1.5</td>
<td>Restrict Virtual Console Root Logins</td>
<td xml:lang="en-US">
@@ -242,6 +150,41 @@
</td>
</tr>
<tr>
+ <td>3.1.1<br/>3.4.5</td>
+ <td>Require Authentication for Emergency Systemd Target</td>
+ <td xml:lang="en-US">
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+ </td>
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -42,10 +42,40 @@
<td>Rationale</td>
</thead>
<tr>
+ <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+ <td>Record Attempts to Alter Time Through clock_settime</td>
+ <td xml:lang="en-US">
+If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+utility to read audit rules during daemon startup, add the following line to
+<tt>/etc/audit/audit.rules</tt> file:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+The -k option allows for the specification of a key in string form that can
+be used for better reporting capability through ausearch and aureport.
+Multiple system calls can be defined on the same line to save space if
+desired, but is not required. See an example of multiple combined syscalls:
+<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
+ </td>
+ <td xml:lang="en-US">
+Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ </td>
+</tr>
+<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Unsuccessul Ownership Changes to Files - chown</td>
+ <td>Record Unsuccessul Permission Changes to Files - fchmodat</td>
<td xml:lang="en-US">
-The audit system should collect unsuccessful file ownership change
+The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
@@ -54,59 +84,35 @@
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+<pre>-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+<pre>-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
</td>
<td xml:lang="en-US">
-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
+Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Attempts to Alter the localtime File</td>
- <td xml:lang="en-US">
-If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport and
-should always be used.
- </td>
- <td xml:lang="en-US">
-Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
- </td>
-</tr>
-<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
At a minimum, the audit system should collect file permission
changes for all users and root. If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
</td>
<td xml:lang="en-US">
The changing of file permissions could indicate that a user is attempting to
@@ -117,42 +123,18 @@
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Ensure auditd Collects Information on Exporting to Media (successful)</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect media exportation
-events for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
- </td>
- <td xml:lang="en-US">
-The unauthorized exportation of data to external media could result in an information leak
-where classified information, Privacy Act information, and intellectual property could be lost. An audit
-trail should be created each time a filesystem is mounted to help identify and guard against information
-loss.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Any Attempts to Run seunshare</td>
+ <td>Ensure auditd Collects Information on the Use of Privileged Commands - su</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+configured to use the <tt>augenrules</tt> program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+utility to read audit rules during daemon startup, add a line of the following
+form to <tt>/etc/audit/audit.rules</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
</td>
<td xml:lang="en-US">
Misuse of privileged functions, either intentionally or unintentionally by
@@ -168,6 +150,51 @@
</td>
</tr>
<tr>
+ <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+ <td>Record Attempts to Alter Logon and Logout Events - faillock</td>
+ <td xml:lang="en-US">
+The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/run/faillock -p wa -k logins</pre>
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/run/faillock -p wa -k logins</pre>
+ </td>
+ <td xml:lang="en-US">
+Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
+ </td>
+</tr>
+<tr>
+ <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
+ <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+ <td xml:lang="en-US">
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -57,21 +57,6 @@
</tr>
<tr>
<td>FAU_GEN.1</td>
- <td>Set hostname as computer node name in audit logs</td>
- <td xml:lang="en-US">
-To configure Audit daemon to use value returned by gethostname
-syscall as computer node name in the audit events,
-set <tt>name_format</tt> to <tt>hostname</tt>
-in <tt>/etc/audit/auditd.conf</tt>.
- </td>
- <td xml:lang="en-US">
-If option <tt>name_format</tt> is left at its default value of
-<tt>none</tt>, audit events from different computers may be hard
-to distinguish.
- </td>
-</tr>
-<tr>
- <td>FAU_GEN.1</td>
<td>Set number of records to cause an explicit flush to audit logs</td>
<td xml:lang="en-US">
To configure Audit daemon to issue an explicit flush to disk command
@@ -85,83 +70,82 @@
</td>
</tr>
<tr>
- <td>FAU_GEN.1.1.c</td>
- <td>Ensure cron Is Logging To Rsyslog</td>
+ <td>FAU_GEN.1</td>
+ <td>Set hostname as computer node name in audit logs</td>
<td xml:lang="en-US">
-Cron logging must be implemented to spot intrusions or trace
-cron job status. If <tt>cron</tt> is not logging to <tt>rsyslog</tt>, it
-can be implemented by adding the following to the <i>RULES</i> section of
-<tt>/etc/rsyslog.conf</tt>:
-<pre>cron.* /var/log/cron</pre>
+To configure Audit daemon to use value returned by gethostname
+syscall as computer node name in the audit events,
+set <tt>name_format</tt> to <tt>hostname</tt>
+in <tt>/etc/audit/auditd.conf</tt>.
</td>
<td xml:lang="en-US">
-Cron logging can be used to trace the successful or unsuccessful execution
-of cron jobs. It can also be used to spot intrusions into the use of the cron
-facility by unauthorized and malicious users.
+If option <tt>name_format</tt> is left at its default value of
+<tt>none</tt>, audit events from different computers may be hard
+to distinguish.
</td>
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
+ <td>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured
+The audit system should collect write events to /etc/group file for all group and root.
+If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+startup (the default), add the following lines to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
+utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify</pre>
</td>
<td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
-The audit system should collect write events to /etc/gshadow file for all users and root.
-If the <tt>auditd</tt> daemon is configured
+At a minimum, the audit system should collect file permission
+changes for all users and root. If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
+startup (the default), add the following line to a file with suffix
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
+utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
</td>
<td xml:lang="en-US">
-Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.
+The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
</td>
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Any Attempts to Run seunshare</td>
+ <td>Ensure auditd Collects Information on the Use of Privileged Commands - su</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the <tt>auditd</tt> daemon is
+configured to use the <tt>augenrules</tt> program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged</pre>
+utility to read audit rules during daemon startup, add a line of the following
+form to <tt>/etc/audit/audit.rules</tt>:
+<pre>-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged</pre>
</td>
<td xml:lang="en-US">
Misuse of privileged functions, either intentionally or unintentionally by
@@ -178,132 +162,64 @@
</tr>
<tr>
<td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
- </td>
- <td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- </td>
-</tr>
-<tr>
- <td>FAU_GEN.1.1.c</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</td>
+ <td>Record Attempts to Alter Logon and Logout Events - faillock</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -59,6 +59,34 @@
</tr>
<tr>
<td>Req-6.2</td>
+ <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
+ <td xml:lang="en-US">
+The <tt>gpgcheck</tt> option controls whether
+RPM packages' signatures are always checked prior to installation.
+To configure yum to check package signatures before installing
+them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
+the <tt>[main]</tt> section:
+<pre>gpgcheck=1</pre>
+ </td>
+ <td xml:lang="en-US">
+Changes to any software components can have significant effects on the
+overall security of the operating system. This requirement ensures the
+software has not been tampered with and that it has been provided by a
+trusted vendor.
+<br />
+Accordingly, patches, service packs, device drivers, or operating system
+components must be signed with a certificate recognized and approved by the
+organization.
+<br />Verifying the authenticity of the software prior to installation
+validates the integrity of the patch or upgrade received from a vendor.
+This ensures the software has not been tampered with and that it has been
+provided by a trusted vendor. Self-signed certificates are disallowed by
+this requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA).
+ </td>
+</tr>
+<tr>
+ <td>Req-6.2</td>
<td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
<td xml:lang="en-US">
To ensure signature checking is not disabled for
@@ -99,34 +127,6 @@
</tr>
<tr>
<td>Req-6.2</td>
- <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
- <td xml:lang="en-US">
-The <tt>gpgcheck</tt> option controls whether
-RPM packages' signatures are always checked prior to installation.
-To configure yum to check package signatures before installing
-them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
-the <tt>[main]</tt> section:
-<pre>gpgcheck=1</pre>
- </td>
- <td xml:lang="en-US">
-Changes to any software components can have significant effects on the
-overall security of the operating system. This requirement ensures the
-software has not been tampered with and that it has been provided by a
-trusted vendor.
-<br />
-Accordingly, patches, service packs, device drivers, or operating system
-components must be signed with a certificate recognized and approved by the
-organization.
-<br />Verifying the authenticity of the software prior to installation
-validates the integrity of the patch or upgrade received from a vendor.
-This ensures the software has not been tampered with and that it has been
-provided by a trusted vendor. Self-signed certificates are disallowed by
-this requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA).
- </td>
-</tr>
-<tr>
- <td>Req-6.2</td>
<td>Ensure Red Hat GPG Key Installed</td>
<td xml:lang="en-US">
To ensure the system can cryptographically verify base software packages
@@ -156,14 +156,14 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/grub2/grub.cfg</tt> should
+The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
be owned by the <tt>root</tt> user to prevent destruction
or modification of the file.
-To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
+To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
</td>
<td xml:lang="en-US">
Only root should be able to modify important boot parameters.
@@ -171,18 +171,17 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg User Ownership</td>
<td xml:lang="en-US">
The file <tt>/boot/grub2/grub.cfg</tt> should
-be group-owned by the <tt>root</tt> group to prevent
-destruction or modification of the file.
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
-To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
+To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
</td>
<td xml:lang="en-US">
-The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
</td>
</tr>
<tr>
@@ -203,17 +202,18 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
-To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
</td>
</tr>
<tr>
@@ -290,69 +290,101 @@
</tr>
<tr>
<td>Req-8.1.8</td>
- <td>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</td>
+ <td>Enable GNOME3 Screensaver Idle Activation</td>
<td xml:lang="en-US">
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
-to <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+To activate the screensaver in the GNOME3 desktop after a period of inactivity,
+add or set <tt>idle-activation-enabled</tt> to <tt>true</tt> in
+<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
+<pre>[org/gnome/desktop/screensaver]
+idle-activation-enabled=true</pre>
+Once the setting has been added, add a lock to
+<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
For example:
<pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
After the settings have been set, run <tt>dconf update</tt>.
</td>
<td xml:lang="en-US">
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
+physical vicinity of the information system but does not logout because of the temporary nature of the absence.
+Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
+GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
+session lock.
+<br /><br />
+Enabling idle activation of the screensaver ensures the screensaver will
+be activated after the idle delay. Applications requiring continuous,
+real-time screen display (such as network management products) require the
+login session does not have administrator rights and the display station is located in a
+controlled-access area.
</td>
</tr>
<tr>
<td>Req-8.1.8</td>
- <td>Enable GNOME3 Screensaver Lock After Idle Period</td>
+ <td>Set SSH Idle Timeout Interval</td>
+ <td xml:lang="en-US">
+SSH allows administrators to set an idle timeout interval. After this interval
+has passed, the idle user will be automatically logged out.
+<br /><br />
+To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
+follows:
+<pre>ClientAliveInterval <b><abbr title="$sshd_idle_timeout_value"><tt>300</tt></abbr></b></pre>
+<br/><br/>
+The timeout <b>interval</b> is given in seconds. For example, have a timeout
+of 10 minutes, set <b>interval</b> to 600.
+<br /><br />
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
+ </td>
+ <td xml:lang="en-US">
+Terminating an idle ssh session within a short time period reduces the window of
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,24 +43,6 @@
</thead>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall talk Package</td>
- <td xml:lang="en-US">
-The <tt>talk</tt> package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The <code>talk</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase talk</pre>
- </td>
- <td xml:lang="en-US">
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the <tt>talk</tt> package decreases the
-risk of the accidental (or intentional) activation of talk client program.
- </td>
-</tr>
-<tr>
- <td>BP28(R1)</td>
<td>Remove telnet Clients</td>
<td xml:lang="en-US">
The telnet client allows users to start connections to other systems via
@@ -75,99 +57,107 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall xinetd Package</td>
+ <td>Remove tftp Daemon</td>
<td xml:lang="en-US">
-The <code>xinetd</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase xinetd</pre>
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
</td>
<td xml:lang="en-US">
-Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall ypserv Package</td>
+ <td>Uninstall talk-server Package</td>
<td xml:lang="en-US">
-The <code>ypserv</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase ypserv</pre>
+The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo yum erase talk-server</pre>
</td>
<td xml:lang="en-US">
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the <tt>ypserv</tt> package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the <tt>talk-server</tt> package decreases the
+risk of the accidental (or intentional) activation of talk services.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall DHCP Server Package</td>
+ <td>Uninstall talk Package</td>
<td xml:lang="en-US">
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The <code>dhcp-server</code> package can be removed with the following command:
+The <tt>talk</tt> package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The <code>talk</code> package can be removed with the following command:
<pre>
-$ sudo yum erase dhcp-server</pre>
+$ sudo yum erase talk</pre>
</td>
<td xml:lang="en-US">
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the <tt>talk</tt> package decreases the
+risk of the accidental (or intentional) activation of talk client program.
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall rsh Package</td>
+ <td>Uninstall Sendmail Package</td>
<td xml:lang="en-US">
-
-The <tt>rsh</tt> package contains the client commands
-
-for the rsh services
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The <code>sendmail</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase sendmail</pre>
</td>
<td xml:lang="en-US">
-These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the <tt>rsh</tt> package removes
-
-the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>.
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
</td>
</tr>
<tr>
- <td>BP28(R1)</td>
- <td>Remove tftp Daemon</td>
+ <td>BP28(R1)<br/>NT007(R03)</td>
+ <td>Uninstall the telnet server</td>
<td xml:lang="en-US">
-Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
+The telnet daemon should be uninstalled.
</td>
<td xml:lang="en-US">
-It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+<tt>telnet</tt> allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
</td>
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Uninstall Sendmail Package</td>
+ <td>Uninstall DHCP Server Package</td>
<td xml:lang="en-US">
-Sendmail is not the default mail transfer agent and is
-not installed by default.
-The <code>sendmail</code> package can be removed with the following command:
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The <code>dhcp-server</code> package can be removed with the following command:
<pre>
-$ sudo yum erase sendmail</pre>
+$ sudo yum erase dhcp-server</pre>
</td>
<td xml:lang="en-US">
-The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ </td>
+</tr>
+<tr>
+ <td>BP28(R1)</td>
+ <td>Uninstall tftp-server Package</td>
+ <td xml:lang="en-US">
+The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
+ </td>
+ <td xml:lang="en-US">
+Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+<br /><br />
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
</td>
</tr>
<tr>
@@ -189,59 +179,52 @@
</tr>
<tr>
<td>BP28(R1)</td>
- <td>Remove NIS Client</td>
- <td xml:lang="en-US">
-The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (<tt>ypbind</tt>) was used to bind a system to an NIS server
-and receive the distributed configuration files.
- </td>
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -672,17 +672,16 @@
</tr>
<tr>
<td>1.5.1</td>
- <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg Permissions</td>
<td xml:lang="en-US">
-The file <tt>/boot/grub2/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+File permissions for <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should be set to 700.
-To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
+To properly set the permissions of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+Proper permissions ensure that only the root user can modify important boot
+parameters.
</td>
</tr>
<tr>
@@ -701,18 +700,32 @@
</tr>
<tr>
<td>1.5.1</td>
- <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td xml:lang="en-US">
+The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
+
+To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+ </td>
+ <td xml:lang="en-US">
+Only root should be able to modify important boot parameters.
+ </td>
+</tr>
+<tr>
+ <td>1.5.1</td>
+ <td>Verify /boot/grub2/grub.cfg User Ownership</td>
<td xml:lang="en-US">
The file <tt>/boot/grub2/grub.cfg</tt> should
-be group-owned by the <tt>root</tt> group to prevent
-destruction or modification of the file.
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
-To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
+To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
</td>
<td xml:lang="en-US">
-The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
</td>
</tr>
<tr>
@@ -733,36 +746,23 @@
</tr>
<tr>
<td>1.5.1</td>
- <td>Verify the UEFI Boot Loader grub.cfg Permissions</td>
- <td xml:lang="en-US">
-File permissions for <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should be set to 700.
-
-To properly set the permissions of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg</pre>
- </td>
- <td xml:lang="en-US">
-Proper permissions ensure that only the root user can modify important boot
-parameters.
- </td>
-</tr>
-<tr>
- <td>1.5.1</td>
- <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
-To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
</td>
</tr>
<tr>
<td>1.5.2</td>
- <td>Set the UEFI Boot Loader Password</td>
+ <td>Set Boot Loader Password in grub2</td>
<td xml:lang="en-US">
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -784,7 +784,7 @@
</tr>
<tr>
<td>1.5.2</td>
- <td>Set Boot Loader Password in grub2</td>
+ <td>Set the UEFI Boot Loader Password</td>
<td xml:lang="en-US">
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -806,6 +806,23 @@
</tr>
<tr>
<td>1.5.3</td>
+ <td>Require Authentication for Emergency Systemd Target</td>
+ <td xml:lang="en-US">
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+ </td>
+ <td xml:lang="en-US">
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+ </td>
+</tr>
+<tr>
+ <td>1.5.3</td>
<td>Require Authentication for Single User Mode</td>
<td xml:lang="en-US">
Single-user mode is intended as a system recovery
@@ -823,20 +840,21 @@
</td>
</tr>
<tr>
- <td>1.5.3</td>
- <td>Require Authentication for Emergency Systemd Target</td>
+ <td>1.6.1</td>
+ <td>Disable storing core dump</td>
<td xml:lang="en-US">
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+The <tt>Storage</tt> option in <tt>[Coredump]</tt> section
+of <tt>/etc/systemd/coredump.conf</tt>
+can be set to <tt>none</tt> to disable storing core dumps permanently.
</td>
<td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+A core dump includes a memory image taken at the time the operating system
+terminates an application. The memory image could contain sensitive data
+and is generally useful only for developers or system operators trying to
+debug problems. Enabling core dumps on production systems is not recommended,
+however there may be overriding operational requirements to enable advanced
+debuging. Permitting temporary enablement of core dumps during such situations
+should be reviewed through local needs and policy.
</td>
</tr>
<tr>
@@ -856,21 +874,6 @@
</tr>
<tr>
<td>1.6.1</td>
- <td>Disable Core Dumps for All Users</td>
- <td xml:lang="en-US">
-To disable core dumps for all users, add the following line to
-<tt>/etc/security/limits.conf</tt>, or to a file within the
-<tt>/etc/security/limits.d/</tt> directory:
-<pre>* hard core 0</pre>
- </td>
- <td xml:lang="en-US">
-A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.
- </td>
-</tr>
-<tr>
- <td>1.6.1</td>
<td>Disable core dump backtraces</td>
<td xml:lang="en-US">
The <tt>ProcessSizeMax</tt> option in <tt>[Coredump]</tt> section
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -43,6 +43,29 @@
</thead>
<tr>
<td>3.1.1<br/>3.1.5</td>
+ <td>Prevent Login to Accounts With Empty Password</td>
+ <td xml:lang="en-US">
+If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+<tt>nullok</tt> in
+
+<tt>/etc/pam.d/system-auth</tt>
+
+to prevent logins with empty passwords.
+Note that this rule is not applicable for systems running within a
+container. Having user with empty password within a container is not
+considered a risk, because it should not be possible to directly login into
+a container anyway.
+ </td>
+ <td xml:lang="en-US">
+If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ </td>
+</tr>
+<tr>
+ <td>3.1.1<br/>3.1.5</td>
<td>Disable SSH Access via Empty Passwords</td>
<td xml:lang="en-US">
Disallow SSH login with empty passwords.
@@ -67,118 +90,20 @@
</td>
</tr>
<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Single User Mode</td>
- <td xml:lang="en-US">
-Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup. By default, no authentication
-is performed if single-user mode is selected.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Verify Only Root Has UID 0</td>
- <td xml:lang="en-US">
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-<br />
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- </td>
- <td xml:lang="en-US">
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Restrict Serial Port Root Logins</td>
- <td xml:lang="en-US">
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
- </td>
- <td xml:lang="en-US">
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.4.5</td>
- <td>Require Authentication for Emergency Systemd Target</td>
- <td xml:lang="en-US">
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
- </td>
- <td xml:lang="en-US">
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Disable SSH Root Login</td>
- <td xml:lang="en-US">
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-<tt>/etc/ssh/sshd_config</tt>:
-
-<pre>PermitRootLogin no</pre>
- </td>
- <td xml:lang="en-US">
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
- </td>
-</tr>
-<tr>
- <td>3.1.1<br/>3.1.5</td>
- <td>Prevent Login to Accounts With Empty Password</td>
+ <td>3.1.1</td>
+ <td>Disable GDM Automatic Login</td>
<td xml:lang="en-US">
-If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-<tt>nullok</tt> in
-
-<tt>/etc/pam.d/system-auth</tt>
-
-to prevent logins with empty passwords.
-Note that this rule is not applicable for systems running within a
-container. Having user with empty password within a container is not
-considered a risk, because it should not be possible to directly login into
-a container anyway.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
</td>
<td xml:lang="en-US">
-If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
</td>
</tr>
<tr>
@@ -208,23 +133,6 @@
</td>
</tr>
<tr>
- <td>3.1.1</td>
- <td>Disable GDM Automatic Login</td>
- <td xml:lang="en-US">
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
- </td>
- <td xml:lang="en-US">
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
- </td>
-</tr>
-<tr>
<td>3.1.1<br/>3.1.5</td>
<td>Restrict Virtual Console Root Logins</td>
<td xml:lang="en-US">
@@ -242,6 +150,41 @@
</td>
</tr>
<tr>
+ <td>3.1.1<br/>3.4.5</td>
+ <td>Require Authentication for Emergency Systemd Target</td>
+ <td xml:lang="en-US">
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
+ </td>
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -42,45 +42,27 @@
<td>Rationale</td>
</thead>
<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Unsuccessul Ownership Changes to Files - chown</td>
- <td xml:lang="en-US">
-The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
- </td>
- <td xml:lang="en-US">
-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- </td>
-</tr>
-<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Attempts to Alter the localtime File</td>
+ <td>Record Attempts to Alter Time Through clock_settime</td>
<td xml:lang="en-US">
If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following line to
<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
+<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
+If the system is 64 bit then also add the following line:
+<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport and
-should always be used.
+be used for better reporting capability through ausearch and aureport.
+Multiple system calls can be defined on the same line to save space if
+desired, but is not required. See an example of multiple combined syscalls:
+<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
</td>
<td xml:lang="en-US">
Arbitrary changes to the system time can be used to obfuscate
@@ -91,148 +73,50 @@
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - setxattr</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod</pre>
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod</pre>
- </td>
- <td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Ensure auditd Collects Information on Exporting to Media (successful)</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect media exportation
-events for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export</pre>
- </td>
- <td xml:lang="en-US">
-The unauthorized exportation of data to external media could result in an information leak
-where classified information, Privacy Act information, and intellectual property could be lost. An audit
-trail should be created each time a filesystem is mounted to help identify and guard against information
-loss.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
- <td>Record Any Attempts to Run seunshare</td>
- <td xml:lang="en-US">
-At a minimum, the audit system should collect any execution attempt
-of the <tt>seunshare</tt> command for all users and root. If the <tt>auditd</tt>
-daemon is configured to use the <tt>augenrules</tt> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged</pre>
- </td>
- <td xml:lang="en-US">
-Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<br /><br />
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- </td>
-</tr>
-<tr>
- <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</td>
+ <td>Record Unsuccessul Permission Changes to Files - fchmodat</td>
<td xml:lang="en-US">
-At a minimum, the audit system should collect file permission
-changes for all users and root.
-<br /><br />
+The audit system should collect unsuccessful file permission change
+attempts for all users and root.
If the <tt>auditd</tt> daemon is configured
to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
-<br /><br />
+startup (the default), add the following lines to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
-<br /><br />
-If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod</pre>
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file.
+<pre>-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
+If the system is 64 bit then also add the following lines:
+<pre>-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
</td>
<td xml:lang="en-US">
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
</td>
</tr>
<tr>
<td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
- <td>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</td>
+ <td>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</td>
<td xml:lang="en-US">
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000
@@ -59,6 +59,34 @@
</tr>
<tr>
<td>Req-6.2</td>
+ <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
+ <td xml:lang="en-US">
+The <tt>gpgcheck</tt> option controls whether
+RPM packages' signatures are always checked prior to installation.
+To configure yum to check package signatures before installing
+them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
+the <tt>[main]</tt> section:
+<pre>gpgcheck=1</pre>
+ </td>
+ <td xml:lang="en-US">
+Changes to any software components can have significant effects on the
+overall security of the operating system. This requirement ensures the
+software has not been tampered with and that it has been provided by a
+trusted vendor.
+<br />
+Accordingly, patches, service packs, device drivers, or operating system
+components must be signed with a certificate recognized and approved by the
+organization.
+<br />Verifying the authenticity of the software prior to installation
+validates the integrity of the patch or upgrade received from a vendor.
+This ensures the software has not been tampered with and that it has been
+provided by a trusted vendor. Self-signed certificates are disallowed by
+this requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA).
+ </td>
+</tr>
+<tr>
+ <td>Req-6.2</td>
<td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
<td xml:lang="en-US">
To ensure signature checking is not disabled for
@@ -99,34 +127,6 @@
</tr>
<tr>
<td>Req-6.2</td>
- <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
- <td xml:lang="en-US">
-The <tt>gpgcheck</tt> option controls whether
-RPM packages' signatures are always checked prior to installation.
-To configure yum to check package signatures before installing
-them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
-the <tt>[main]</tt> section:
-<pre>gpgcheck=1</pre>
- </td>
- <td xml:lang="en-US">
-Changes to any software components can have significant effects on the
-overall security of the operating system. This requirement ensures the
-software has not been tampered with and that it has been provided by a
-trusted vendor.
-<br />
-Accordingly, patches, service packs, device drivers, or operating system
-components must be signed with a certificate recognized and approved by the
-organization.
-<br />Verifying the authenticity of the software prior to installation
-validates the integrity of the patch or upgrade received from a vendor.
-This ensures the software has not been tampered with and that it has been
-provided by a trusted vendor. Self-signed certificates are disallowed by
-this requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA).
- </td>
-</tr>
-<tr>
- <td>Req-6.2</td>
<td>Ensure Red Hat GPG Key Installed</td>
<td xml:lang="en-US">
To ensure the system can cryptographically verify base software packages
@@ -156,14 +156,14 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+ <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/grub2/grub.cfg</tt> should
+The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
be owned by the <tt>root</tt> user to prevent destruction
or modification of the file.
-To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
+To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
</td>
<td xml:lang="en-US">
Only root should be able to modify important boot parameters.
@@ -171,18 +171,17 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg User Ownership</td>
<td xml:lang="en-US">
The file <tt>/boot/grub2/grub.cfg</tt> should
-be group-owned by the <tt>root</tt> group to prevent
-destruction or modification of the file.
+be owned by the <tt>root</tt> user to prevent destruction
+or modification of the file.
-To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
+To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/grub2/grub.cfg </pre>
</td>
<td xml:lang="en-US">
-The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
</td>
</tr>
<tr>
@@ -203,17 +202,18 @@
</tr>
<tr>
<td>Req-7.1</td>
- <td>Verify the UEFI Boot Loader grub.cfg User Ownership</td>
+ <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
<td xml:lang="en-US">
-The file <tt>/boot/efi/EFI/redhat/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
-or modification of the file.
+The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
-To properly set the owner of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command:
-<pre>$ sudo chown root /boot/efi/EFI/redhat/grub.cfg </pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</td>
<td xml:lang="en-US">
-Only root should be able to modify important boot parameters.
+The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
</td>
</tr>
<tr>
@@ -290,69 +290,101 @@
</tr>
<tr>
<td>Req-8.1.8</td>
- <td>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</td>
+ <td>Enable GNOME3 Screensaver Idle Activation</td>
<td xml:lang="en-US">
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
-to <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+To activate the screensaver in the GNOME3 desktop after a period of inactivity,
+add or set <tt>idle-activation-enabled</tt> to <tt>true</tt> in
+<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
+<pre>[org/gnome/desktop/screensaver]
+idle-activation-enabled=true</pre>
+Once the setting has been added, add a lock to
+<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
For example:
<pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
After the settings have been set, run <tt>dconf update</tt>.
</td>
<td xml:lang="en-US">
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
+physical vicinity of the information system but does not logout because of the temporary nature of the absence.
+Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
+GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
+session lock.
+<br /><br />
+Enabling idle activation of the screensaver ensures the screensaver will
+be activated after the idle delay. Applications requiring continuous,
+real-time screen display (such as network management products) require the
+login session does not have administrator rights and the display station is located in a
+controlled-access area.
</td>
</tr>
<tr>
<td>Req-8.1.8</td>
- <td>Enable GNOME3 Screensaver Lock After Idle Period</td>
+ <td>Set SSH Idle Timeout Interval</td>
+ <td xml:lang="en-US">
+SSH allows administrators to set an idle timeout interval. After this interval
+has passed, the idle user will be automatically logged out.
+<br /><br />
+To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
+follows:
+<pre>ClientAliveInterval <b><abbr title="$sshd_idle_timeout_value"><tt>300</tt></abbr></b></pre>
+<br/><br/>
+The timeout <b>interval</b> is given in seconds. For example, have a timeout
+of 10 minutes, set <b>interval</b> to 600.
+<br /><br />
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
+ </td>
+ <td xml:lang="en-US">
+Terminating an idle ssh session within a short time period reduces the window of
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2022-02-28T13:54:44.905471">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_rhelh-stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_rhelh-stig"><xccdf-1.2:title xml:lang="en-US" override="true">RHV hardening based on STIG for Red Hat Enterprise Linux 7</xccdf-1.2:title>
+<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2037-04-02T03:12:11.395817">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_rhelh-stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_rhelh-stig"><xccdf-1.2:title xml:lang="en-US" override="true">RHV hardening based on STIG for Red Hat Enterprise Linux 7</xccdf-1.2:title>
<xccdf-1.2:description xml:lang="en-US" override="true">This profile contains configuration checks for
Red Hat Virtualization based on the
the DISA STIG for Red Hat Enterprise Linux 7.</xccdf-1.2:description>
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2022-02-28T13:58:34.597074">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig"><xccdf-1.2:title xml:lang="en-US" override="true">DISA STIG for Red Hat Enterprise Linux 8</xccdf-1.2:title>
+<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2037-04-02T03:16:50.614023">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig"><xccdf-1.2:title xml:lang="en-US" override="true">DISA STIG for Red Hat Enterprise Linux 8</xccdf-1.2:title>
<xccdf-1.2:description xml:lang="en-US" override="true">This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R4.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -49397,88 +49397,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -49487,322 +49469,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -49400,88 +49400,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -49490,322 +49472,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
<xccdf-1.1:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.1="http://checklists.nist.gov/xccdf/1.1" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <xccdf-1.1:status date="2022-02-28">draft</xccdf-1.1:status>
+ <xccdf-1.1:status date="2037-04-02">draft</xccdf-1.1:status>
<xccdf-1.1:title xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.1:title>
<xccdf-1.1:description xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -56,59 +56,54 @@
<cpe-lang:fact-ref name="cpe:/a:machine" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_login_defs">
- <cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:login_defs" />
- </cpe-lang:logical-test>
- </cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_audit">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:audit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_grub2">
+ <cpe-lang:platform id="cpe_platform_pam">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:grub2" />
+ <cpe-lang:fact-ref name="cpe:/a:pam" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_chrony">
+ <cpe-lang:platform id="cpe_platform_yum">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:chrony" />
+ <cpe-lang:fact-ref name="cpe:/a:yum" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sssd">
+ <cpe-lang:platform id="cpe_platform_net-snmp">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sssd" />
+ <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_pam">
+ <cpe-lang:platform id="cpe_platform_nss-pam-ldapd">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:pam" />
+ <cpe-lang:fact-ref name="cpe:/a:nss-pam-ldapd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sudo">
+ <cpe-lang:platform id="cpe_platform_gdm">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sudo" />
+ <cpe-lang:fact-ref name="cpe:/a:gdm" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sssd-ldap">
+ <cpe-lang:platform id="cpe_platform_login_defs">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sssd-ldap" />
+ <cpe-lang:fact-ref name="cpe:/a:login_defs" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_postfix">
+ <cpe-lang:platform id="cpe_platform_sssd">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:postfix" />
+ <cpe-lang:fact-ref name="cpe:/a:sssd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_gdm">
+ <cpe-lang:platform id="cpe_platform_sudo">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:gdm" />
+ <cpe-lang:fact-ref name="cpe:/a:sudo" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_ntp">
+ <cpe-lang:platform id="cpe_platform_sssd-ldap">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:ntp" />
+ <cpe-lang:fact-ref name="cpe:/a:sssd-ldap" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_not_s390x_arch">
@@ -116,29 +111,29 @@
<cpe-lang:fact-ref name="cpe:/a:not_s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_wifi-iface">
+ <cpe-lang:platform id="cpe_platform_ntp">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
+ <cpe-lang:fact-ref name="cpe:/a:ntp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_libuser">
+ <cpe-lang:platform id="cpe_platform_grub2">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:libuser" />
+ <cpe-lang:fact-ref name="cpe:/a:grub2" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_yum">
+ <cpe-lang:platform id="cpe_platform_chrony">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:yum" />
+ <cpe-lang:fact-ref name="cpe:/a:chrony" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_net-snmp">
+ <cpe-lang:platform id="cpe_platform_postfix">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
+ <cpe-lang:fact-ref name="cpe:/a:postfix" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_nss-pam-ldapd">
+ <cpe-lang:platform id="cpe_platform_wifi-iface">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:nss-pam-ldapd" />
+ <cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_polkit">
@@ -146,14 +141,19 @@
<cpe-lang:fact-ref name="cpe:/a:polkit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
+ <cpe-lang:platform id="cpe_platform_libuser">
+ <cpe-lang:logical-test operator="OR" negate="false">
+ <cpe-lang:fact-ref name="cpe:/a:libuser" />
+ </cpe-lang:logical-test>
+ </cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_systemd">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:systemd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_non-uefi">
+ <cpe-lang:platform id="cpe_platform_s390x_arch">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
+ <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_uefi">
@@ -161,9 +161,9 @@
<cpe-lang:fact-ref name="cpe:/a:uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_s390x_arch">
+ <cpe-lang:platform id="cpe_platform_non-uefi">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
+ <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
</cpe-lang:platform-specification>
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -52029,2758 +52029,2752 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -52031,2758 +52031,2752 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
<xccdf-1.1:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.1="http://checklists.nist.gov/xccdf/1.1" id="RHEL-8" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <xccdf-1.1:status date="2022-02-28">draft</xccdf-1.1:status>
+ <xccdf-1.1:status date="2037-04-02">draft</xccdf-1.1:status>
<xccdf-1.1:title xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.1:title>
<xccdf-1.1:description xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -56,14 +56,14 @@
<cpe-lang:fact-ref name="cpe:/a:machine" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_login_defs">
+ <cpe-lang:platform id="cpe_platform_audit">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:login_defs" />
+ <cpe-lang:fact-ref name="cpe:/a:audit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_audit">
+ <cpe-lang:platform id="cpe_platform_pam">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:audit" />
+ <cpe-lang:fact-ref name="cpe:/a:pam" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_sssd">
@@ -71,14 +71,24 @@
<cpe-lang:fact-ref name="cpe:/a:sssd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_grub2">
+ <cpe-lang:platform id="cpe_platform_not_s390x_arch">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:grub2" />
+ <cpe-lang:fact-ref name="cpe:/a:not_s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_chrony">
+ <cpe-lang:platform id="cpe_platform_yum">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:chrony" />
+ <cpe-lang:fact-ref name="cpe:/a:yum" />
+ </cpe-lang:logical-test>
+ </cpe-lang:platform>
+ <cpe-lang:platform id="cpe_platform_net-snmp">
+ <cpe-lang:logical-test operator="OR" negate="false">
+ <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
+ </cpe-lang:logical-test>
+ </cpe-lang:platform>
+ <cpe-lang:platform id="cpe_platform_nss-pam-ldapd">
+ <cpe-lang:logical-test operator="OR" negate="false">
+ <cpe-lang:fact-ref name="cpe:/a:nss-pam-ldapd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_no_ovirt">
@@ -86,9 +96,14 @@
<cpe-lang:fact-ref name="cpe:/a:no_ovirt" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_pam">
+ <cpe-lang:platform id="cpe_platform_gdm">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:pam" />
+ <cpe-lang:fact-ref name="cpe:/a:gdm" />
+ </cpe-lang:logical-test>
+ </cpe-lang:platform>
+ <cpe-lang:platform id="cpe_platform_login_defs">
+ <cpe-lang:logical-test operator="OR" negate="false">
+ <cpe-lang:fact-ref name="cpe:/a:login_defs" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_sudo">
@@ -101,19 +116,19 @@
<cpe-lang:fact-ref name="cpe:/a:sssd-ldap" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_postfix">
+ <cpe-lang:platform id="cpe_platform_grub2">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:postfix" />
+ <cpe-lang:fact-ref name="cpe:/a:grub2" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_gdm">
+ <cpe-lang:platform id="cpe_platform_chrony">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:gdm" />
+ <cpe-lang:fact-ref name="cpe:/a:chrony" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_not_s390x_arch">
+ <cpe-lang:platform id="cpe_platform_postfix">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:not_s390x_arch" />
+ <cpe-lang:fact-ref name="cpe:/a:postfix" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_wifi-iface">
@@ -121,9 +136,9 @@
<cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_libuser">
+ <cpe-lang:platform id="cpe_platform_polkit">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:libuser" />
+ <cpe-lang:fact-ref name="cpe:/a:polkit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_ntp">
@@ -131,24 +146,9 @@
<cpe-lang:fact-ref name="cpe:/a:ntp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_yum">
- <cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:yum" />
- </cpe-lang:logical-test>
- </cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_net-snmp">
- <cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
- </cpe-lang:logical-test>
- </cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_nss-pam-ldapd">
- <cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:nss-pam-ldapd" />
- </cpe-lang:logical-test>
- </cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_polkit">
+ <cpe-lang:platform id="cpe_platform_libuser">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:polkit" />
+ <cpe-lang:fact-ref name="cpe:/a:libuser" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_systemd">
@@ -156,9 +156,9 @@
<cpe-lang:fact-ref name="cpe:/a:systemd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_non-uefi">
+ <cpe-lang:platform id="cpe_platform_s390x_arch">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
+ <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_uefi">
@@ -166,9 +166,9 @@
<cpe-lang:fact-ref name="cpe:/a:uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_s390x_arch">
+ <cpe-lang:platform id="cpe_platform_non-uefi">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
+ <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
</cpe-lang:platform-specification>
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -48475,406 +48475,400 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_polipo_session_users_ocil:questionnaire:1">
+ <ocil:title>Disable the polipo_session_users SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_polipo_session_users_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_entropyd_use_audio_ocil:questionnaire:1">
+ <ocil:title>Disable the entropyd_use_audio SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_entropyd_use_audio_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -48477,406 +48477,400 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_polipo_session_users_ocil:questionnaire:1">
+ <ocil:title>Disable the polipo_session_users SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_polipo_session_users_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_entropyd_use_audio_ocil:questionnaire:1">
+ <ocil:title>Disable the entropyd_use_audio SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_entropyd_use_audio_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
<xccdf-1.1:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.1="http://checklists.nist.gov/xccdf/1.1" id="RHEL-9" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <xccdf-1.1:status date="2022-02-28">draft</xccdf-1.1:status>
+ <xccdf-1.1:status date="2037-04-02">draft</xccdf-1.1:status>
<xccdf-1.1:title xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.1:title>
<xccdf-1.1:description xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -56,34 +56,34 @@
<cpe-lang:fact-ref name="cpe:/a:machine" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_login_defs">
+ <cpe-lang:platform id="cpe_platform_audit">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:login_defs" />
+ <cpe-lang:fact-ref name="cpe:/a:audit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_audit">
+ <cpe-lang:platform id="cpe_platform_pam">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:audit" />
+ <cpe-lang:fact-ref name="cpe:/a:pam" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sssd">
+ <cpe-lang:platform id="cpe_platform_not_s390x_arch">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sssd" />
+ <cpe-lang:fact-ref name="cpe:/a:not_s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_grub2">
+ <cpe-lang:platform id="cpe_platform_yum">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:grub2" />
+ <cpe-lang:fact-ref name="cpe:/a:yum" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_chrony">
+ <cpe-lang:platform id="cpe_platform_gdm">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:chrony" />
+ <cpe-lang:fact-ref name="cpe:/a:gdm" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_pam">
+ <cpe-lang:platform id="cpe_platform_login_defs">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:pam" />
+ <cpe-lang:fact-ref name="cpe:/a:login_defs" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_sudo">
@@ -91,49 +91,49 @@
<cpe-lang:fact-ref name="cpe:/a:sudo" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_postfix">
+ <cpe-lang:platform id="cpe_platform_grub2">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:postfix" />
+ <cpe-lang:fact-ref name="cpe:/a:grub2" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_gdm">
+ <cpe-lang:platform id="cpe_platform_chrony">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:gdm" />
+ <cpe-lang:fact-ref name="cpe:/a:chrony" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_not_s390x_arch">
+ <cpe-lang:platform id="cpe_platform_postfix">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:not_s390x_arch" />
+ <cpe-lang:fact-ref name="cpe:/a:postfix" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_wifi-iface">
+ <cpe-lang:platform id="cpe_platform_sssd">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
+ <cpe-lang:fact-ref name="cpe:/a:sssd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_libuser">
+ <cpe-lang:platform id="cpe_platform_wifi-iface">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:libuser" />
+ <cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_ntp">
+ <cpe-lang:platform id="cpe_platform_polkit">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:ntp" />
+ <cpe-lang:fact-ref name="cpe:/a:polkit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_yum">
+ <cpe-lang:platform id="cpe_platform_net-snmp">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:yum" />
+ <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_net-snmp">
+ <cpe-lang:platform id="cpe_platform_ntp">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
+ <cpe-lang:fact-ref name="cpe:/a:ntp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_polkit">
+ <cpe-lang:platform id="cpe_platform_libuser">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:polkit" />
+ <cpe-lang:fact-ref name="cpe:/a:libuser" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_systemd">
@@ -141,9 +141,9 @@
<cpe-lang:fact-ref name="cpe:/a:systemd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_non-uefi">
+ <cpe-lang:platform id="cpe_platform_s390x_arch">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
+ <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_uefi">
@@ -151,9 +151,9 @@
<cpe-lang:fact-ref name="cpe:/a:uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_s390x_arch">
+ <cpe-lang:platform id="cpe_platform_non-uefi">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
+ <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
</cpe-lang:platform-specification>
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -35470,1570 +35470,1558 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -35470,1570 +35470,1558 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,1570 +7,1558 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="FEDORA" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Fedora</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -43,19 +43,14 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_login_defs">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
- </logical-test>
- </platform>
<platform id="cpe_platform_audit">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
<platform id="cpe_platform_sssd">
@@ -63,24 +58,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sudo">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sudo"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
</logical-test>
</platform>
<platform id="cpe_platform_gdm">
@@ -88,34 +83,39 @@
<fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_ntp">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:ntp"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_sudo">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_net-snmp">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_wifi-iface">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
<platform id="cpe_platform_polkit">
@@ -123,14 +123,14 @@
<fact-ref name="cpe:/a:polkit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -138,9 +138,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -36965,1342 +36965,1342 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
+ <ocil:title>Record Unsuccessul Permission Changes to Files - fchmodat</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -36967,1342 +36967,1342 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
+ <ocil:title>Record Unsuccessul Permission Changes to Files - fchmodat</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,1342 +7,1342 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
+ <ocil:title>Record Unsuccessul Permission Changes to Files - fchmodat</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="OL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Oracle Linux 7</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,9 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
<platform id="cpe_platform_audit">
@@ -53,29 +53,34 @@
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:login_defs"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_sssd">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
<platform id="cpe_platform_sudo">
@@ -88,19 +93,19 @@
<fact-ref name="cpe:/a:sssd-ldap"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
<platform id="cpe_platform_wifi-iface">
@@ -108,24 +113,19 @@
<fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
- </logical-test>
- </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_net-snmp">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -133,9 +133,9 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -143,9 +143,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -39565,976 +39565,964 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -39567,976 +39567,964 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,976 +7,964 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="OL-8" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Oracle Linux 8</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -43,9 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
<platform id="cpe_platform_audit">
@@ -53,9 +53,9 @@
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
<platform id="cpe_platform_sssd">
@@ -63,54 +63,54 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sudo">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sudo"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd-ldap">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd-ldap"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_sudo">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_sssd-ldap">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:sssd-ldap"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
<platform id="cpe_platform_ntp">
@@ -118,14 +118,14 @@
<fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_net-snmp">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -133,9 +133,9 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -143,9 +143,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -29741,160 +29741,142 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_ocil:questionnaire:1">
- <ocil:title>Extend Audit Backlog Limit for the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
+ <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-harden_openssl_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Harden OpenSSL Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
+ <ocil:title>Record Unsuccessul Permission Changes to Files - fchmodat</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-harden_openssl_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_etc_group_open_by_handle_at_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
+ <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
- <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -29741,160 +29741,142 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_ocil:questionnaire:1">
- <ocil:title>Extend Audit Backlog Limit for the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
+ <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-harden_openssl_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Harden OpenSSL Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
+ <ocil:title>Record Unsuccessul Permission Changes to Files - fchmodat</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-harden_openssl_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_etc_group_open_by_handle_at_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
+ <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
- <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,160 +7,142 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_ocil:questionnaire:1">
- <ocil:title>Extend Audit Backlog Limit for the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
+ <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
+ <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-harden_openssl_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Harden OpenSSL Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
+ <ocil:title>Record Unsuccessul Permission Changes to Files - fchmodat</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-harden_openssl_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_etc_group_open_by_handle_at_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
+ <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
- <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHCOS-4" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -48,19 +48,24 @@
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_sssd">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:sssd"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -73,44 +78,39 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_ntp">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:ntp"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_polkit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:polkit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_polkit">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:polkit"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -118,9 +118,9 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -128,9 +128,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -50257,88 +50257,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -50347,322 +50329,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -50260,88 +50260,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -50350,322 +50332,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,88 +7,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -97,322 +79,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -48,59 +48,54 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_login_defs">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
- </logical-test>
- </platform>
<platform id="cpe_platform_audit">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_nss-pam-ldapd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:nss-pam-ldapd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sudo">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sudo"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd-ldap">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd-ldap"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_sssd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_sudo">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_ntp">
+ <platform id="cpe_platform_sssd-ldap">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:ntp"/>
+ <fact-ref name="cpe:/a:sssd-ldap"/>
</logical-test>
</platform>
<platform id="cpe_platform_not_s390x_arch">
@@ -108,29 +103,29 @@
<fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_net-snmp">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_nss-pam-ldapd">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:nss-pam-ldapd"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
<platform id="cpe_platform_polkit">
@@ -138,14 +133,19 @@
<fact-ref name="cpe:/a:polkit"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_libuser">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:libuser"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_systemd">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -153,9 +153,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -52869,2758 +52869,2752 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -52871,2758 +52871,2752 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,2758 +7,2752 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
+ <ocil:title>Configure SSSD to run as user sssd</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-8" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 8</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -48,14 +48,14 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_audit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_audit">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:audit"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
<platform id="cpe_platform_sssd">
@@ -63,14 +63,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:yum"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_net-snmp">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:net-snmp"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_nss-pam-ldapd">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:nss-pam-ldapd"/>
</logical-test>
</platform>
<platform id="cpe_platform_no_ovirt">
@@ -78,9 +88,14 @@
<fact-ref name="cpe:/a:no_ovirt"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:gdm"/>
+ </logical-test>
+ </platform>
+ <platform id="cpe_platform_login_defs">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
<platform id="cpe_platform_sudo">
@@ -93,19 +108,19 @@
<fact-ref name="cpe:/a:sssd-ldap"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
<platform id="cpe_platform_wifi-iface">
@@ -113,9 +128,9 @@
<fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_polkit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:polkit"/>
</logical-test>
</platform>
<platform id="cpe_platform_ntp">
@@ -123,24 +138,9 @@
<fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_net-snmp">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_nss-pam-ldapd">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:nss-pam-ldapd"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_polkit">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:polkit"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -148,9 +148,9 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -158,9 +158,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -49162,406 +49162,400 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_polipo_session_users_ocil:questionnaire:1">
+ <ocil:title>Disable the polipo_session_users SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_polipo_session_users_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_entropyd_use_audio_ocil:questionnaire:1">
+ <ocil:title>Disable the entropyd_use_audio SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_entropyd_use_audio_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -49164,406 +49164,400 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_polipo_session_users_ocil:questionnaire:1">
+ <ocil:title>Disable the polipo_session_users SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_polipo_session_users_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_entropyd_use_audio_ocil:questionnaire:1">
+ <ocil:title>Disable the entropyd_use_audio SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_entropyd_use_audio_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,406 +7,400 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
- <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_ocil:questionnaire:1">
+ <ocil:title>Enable the GNOME3 Screen Locking On Smartcard Removal</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sssd_certificate_verification_ocil:questionnaire:1">
- <ocil:title>Certificate certificate status checking in SSSD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sssd_certificate_verification_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
+ <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
- <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
- <ocil:title>Disable the nagios_run_sudo SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_polipo_session_users_ocil:questionnaire:1">
+ <ocil:title>Disable the polipo_session_users SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_polipo_session_users_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_entropyd_use_audio_ocil:questionnaire:1">
+ <ocil:title>Disable the entropyd_use_audio SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_entropyd_use_audio_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-9" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 9</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -48,34 +48,34 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_audit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_audit">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:audit"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
<platform id="cpe_platform_sudo">
@@ -83,49 +83,49 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_sssd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
- <platform id="cpe_platform_ntp">
+ <platform id="cpe_platform_polkit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:ntp"/>
+ <fact-ref name="cpe:/a:polkit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
+ <platform id="cpe_platform_net-snmp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
+ <fact-ref name="cpe:/a:net-snmp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_net-snmp">
+ <platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:net-snmp"/>
+ <fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_polkit">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:polkit"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -133,9 +133,9 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -143,9 +143,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -4135,18 +4135,6 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
- <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -4159,16 +4147,22 @@
<ocil:test_action_ref>ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-cinder_conf_file_perms_ocil:questionnaire:1">
- <ocil:title>Check-Block-02: Are strict permissions set for cinder config files?</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
<ocil:title>Set Maximum Inactivity Period</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-cinder_conf_file_perms_ocil:questionnaire:1">
+ <ocil:title>Check-Block-02: Are strict permissions set for cinder config files?</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-keystone_lockout_duration_ocil:questionnaire:1">
@@ -4183,9 +4177,15 @@
<ocil:test_action_ref>ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
</ocil:questionnaires>
<ocil:test_actions>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4193,7 +4193,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4201,7 +4201,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4209,7 +4209,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4225,7 +4225,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4233,7 +4233,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4241,7 +4241,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4251,6 +4251,24 @@
</ocil:boolean_question_test_action>
</ocil:test_actions>
<ocil:questions>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:question_text>Run the following command to see what the account lockout
+duration is:
+
+$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+lockout_duration=
+ Is it the case that lockout_duration is not configured properly?
+ </ocil:question_text>
+ </ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
+following line appears:
+CSRF_COOKIE_SECURE True
+ Is it the case that CSRF_COOKIE_SECURE is set to False?
+ </ocil:question_text>
+ </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:question_text>Run the following command to see what the maximum authentication
attempts is:
@@ -4273,24 +4291,6 @@
Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
- <ocil:question_text>Run the following command to see what the account lockout
-duration is:
-
-$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-lockout_duration=
- Is it the case that lockout_duration is not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
- <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
-following line appears:
-CSRF_COOKIE_SECURE True
- Is it the case that CSRF_COOKIE_SECURE is set to False?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-cinder_conf_file_perms_question:question:1">
<ocil:question_text>To check the permissions of /etc/cinder/*.conf,
run the command:
@@ -4300,17 +4300,6 @@
Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
- <ocil:question_text>Run the following command to see what the maximum authentication
-attempts is:
-
-$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-disable_user_account_days_inactive =
- Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:question_text>Run the following command to see what the account lockout
duration is:
@@ -4333,12 +4322,23 @@
Is it the case that lockout_failure_attempts is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:question_text>Run the following command to see what the maximum authentication
+attempts is:
+
+$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+disable_user_account_days_inactive =
/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -4135,18 +4135,6 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
- <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -4159,16 +4147,22 @@
<ocil:test_action_ref>ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-cinder_conf_file_perms_ocil:questionnaire:1">
- <ocil:title>Check-Block-02: Are strict permissions set for cinder config files?</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
<ocil:title>Set Maximum Inactivity Period</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-cinder_conf_file_perms_ocil:questionnaire:1">
+ <ocil:title>Check-Block-02: Are strict permissions set for cinder config files?</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-keystone_lockout_duration_ocil:questionnaire:1">
@@ -4183,9 +4177,15 @@
<ocil:test_action_ref>ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
</ocil:questionnaires>
<ocil:test_actions>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4193,7 +4193,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4201,7 +4201,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4209,7 +4209,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4225,7 +4225,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4233,7 +4233,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4241,7 +4241,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4251,6 +4251,24 @@
</ocil:boolean_question_test_action>
</ocil:test_actions>
<ocil:questions>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:question_text>Run the following command to see what the account lockout
+duration is:
+
+$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+lockout_duration=
+ Is it the case that lockout_duration is not configured properly?
+ </ocil:question_text>
+ </ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
+following line appears:
+CSRF_COOKIE_SECURE True
+ Is it the case that CSRF_COOKIE_SECURE is set to False?
+ </ocil:question_text>
+ </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:question_text>Run the following command to see what the maximum authentication
attempts is:
@@ -4273,24 +4291,6 @@
Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
- <ocil:question_text>Run the following command to see what the account lockout
-duration is:
-
-$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-lockout_duration=
- Is it the case that lockout_duration is not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
- <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
-following line appears:
-CSRF_COOKIE_SECURE True
- Is it the case that CSRF_COOKIE_SECURE is set to False?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-cinder_conf_file_perms_question:question:1">
<ocil:question_text>To check the permissions of /etc/cinder/*.conf,
run the command:
@@ -4300,17 +4300,6 @@
Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
- <ocil:question_text>Run the following command to see what the maximum authentication
-attempts is:
-
-$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-disable_user_account_days_inactive =
- Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:question_text>Run the following command to see what the account lockout
duration is:
@@ -4333,12 +4322,23 @@
Is it the case that lockout_failure_attempts is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:question_text>Run the following command to see what the maximum authentication
+attempts is:
+
+$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+disable_user_account_days_inactive =
/usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,18 +7,6 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
- <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -31,16 +19,22 @@
<ocil:test_action_ref>ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-cinder_conf_file_perms_ocil:questionnaire:1">
- <ocil:title>Check-Block-02: Are strict permissions set for cinder config files?</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
<ocil:title>Set Maximum Inactivity Period</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-cinder_conf_file_perms_ocil:questionnaire:1">
+ <ocil:title>Check-Block-02: Are strict permissions set for cinder config files?</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-keystone_lockout_duration_ocil:questionnaire:1">
@@ -55,9 +49,15 @@
<ocil:test_action_ref>ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
</ocil:questionnaires>
<ocil:test_actions>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -65,7 +65,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -73,7 +73,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -81,7 +81,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -97,7 +97,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -105,7 +105,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -113,7 +113,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -123,6 +123,24 @@
</ocil:boolean_question_test_action>
</ocil:test_actions>
<ocil:questions>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:question_text>Run the following command to see what the account lockout
+duration is:
+
+$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+lockout_duration=
+ Is it the case that lockout_duration is not configured properly?
+ </ocil:question_text>
+ </ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
+following line appears:
+CSRF_COOKIE_SECURE True
+ Is it the case that CSRF_COOKIE_SECURE is set to False?
+ </ocil:question_text>
+ </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:question_text>Run the following command to see what the maximum authentication
attempts is:
@@ -145,24 +163,6 @@
Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
- <ocil:question_text>Run the following command to see what the account lockout
-duration is:
-
-$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-lockout_duration=
- Is it the case that lockout_duration is not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
- <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
-following line appears:
-CSRF_COOKIE_SECURE True
- Is it the case that CSRF_COOKIE_SECURE is set to False?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-cinder_conf_file_perms_question:question:1">
<ocil:question_text>To check the permissions of /etc/cinder/*.conf,
run the command:
@@ -172,17 +172,6 @@
Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
- <ocil:question_text>Run the following command to see what the maximum authentication
-attempts is:
-
-$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-disable_user_account_days_inactive =
- Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:question_text>Run the following command to see what the account lockout
duration is:
@@ -205,5 +194,16 @@
Is it the case that lockout_failure_attempts is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:question_text>Run the following command to see what the maximum authentication
+attempts is:
+
+$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+disable_user_account_days_inactive =
/usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-10-OSP" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat OpenStack Platform 10</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat OpenStack Platform 10. It is a rendering of
/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -4137,18 +4137,6 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
- <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -4161,6 +4149,18 @@
<ocil:test_action_ref>ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_horizon_csrf_cookie_secure_ocil:questionnaire:1">
<ocil:title>Cross-Site Request Forgery Prevention: Enable CSRF_COOKIE_SECURE (containerized deployments)</ocil:title>
<ocil:actions>
@@ -4173,12 +4173,6 @@
<ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -4191,9 +4185,15 @@
<ocil:test_action_ref>ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
</ocil:questionnaires>
<ocil:test_actions>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4201,7 +4201,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4209,7 +4209,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4217,7 +4217,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4241,7 +4241,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4249,7 +4249,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4257,7 +4257,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4267,6 +4267,24 @@
</ocil:boolean_question_test_action>
</ocil:test_actions>
<ocil:questions>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:question_text>Run the following command to see what the account lockout
+duration is:
+
+$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+lockout_duration=
+ Is it the case that lockout_duration is not configured properly?
+ </ocil:question_text>
+ </ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
+following line appears:
+CSRF_COOKIE_SECURE True
+ Is it the case that CSRF_COOKIE_SECURE is set to False?
+ </ocil:question_text>
+ </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:question_text>Run the following command to see what the maximum authentication
attempts is:
@@ -4289,24 +4307,6 @@
Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
- <ocil:question_text>Run the following command to see what the account lockout
-duration is:
-
-$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-lockout_duration=
- Is it the case that lockout_duration is not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
- <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
-following line appears:
-CSRF_COOKIE_SECURE True
- Is it the case that CSRF_COOKIE_SECURE is set to False?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-container_horizon_csrf_cookie_secure_question:question:1">
<ocil:question_text>Check the file /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings and ensure the
following line appears:
@@ -4323,17 +4323,6 @@
Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
- <ocil:question_text>Run the following command to see what the maximum authentication
-attempts is:
-
-$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-disable_user_account_days_inactive =
- Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:question_text>Run the following command to see what the account lockout
duration is:
@@ -4356,12 +4345,23 @@
Is it the case that lockout_failure_attempts is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:question_text>Run the following command to see what the maximum authentication
+attempts is:
+
/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -4137,18 +4137,6 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
- <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -4161,6 +4149,18 @@
<ocil:test_action_ref>ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_horizon_csrf_cookie_secure_ocil:questionnaire:1">
<ocil:title>Cross-Site Request Forgery Prevention: Enable CSRF_COOKIE_SECURE (containerized deployments)</ocil:title>
<ocil:actions>
@@ -4173,12 +4173,6 @@
<ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -4191,9 +4185,15 @@
<ocil:test_action_ref>ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
</ocil:questionnaires>
<ocil:test_actions>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4201,7 +4201,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4209,7 +4209,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4217,7 +4217,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4241,7 +4241,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4249,7 +4249,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4257,7 +4257,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -4267,6 +4267,24 @@
</ocil:boolean_question_test_action>
</ocil:test_actions>
<ocil:questions>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:question_text>Run the following command to see what the account lockout
+duration is:
+
+$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+lockout_duration=
+ Is it the case that lockout_duration is not configured properly?
+ </ocil:question_text>
+ </ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
+following line appears:
+CSRF_COOKIE_SECURE True
+ Is it the case that CSRF_COOKIE_SECURE is set to False?
+ </ocil:question_text>
+ </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:question_text>Run the following command to see what the maximum authentication
attempts is:
@@ -4289,24 +4307,6 @@
Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
- <ocil:question_text>Run the following command to see what the account lockout
-duration is:
-
-$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-lockout_duration=
- Is it the case that lockout_duration is not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
- <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
-following line appears:
-CSRF_COOKIE_SECURE True
- Is it the case that CSRF_COOKIE_SECURE is set to False?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-container_horizon_csrf_cookie_secure_question:question:1">
<ocil:question_text>Check the file /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings and ensure the
following line appears:
@@ -4323,17 +4323,6 @@
Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
- <ocil:question_text>Run the following command to see what the maximum authentication
-attempts is:
-
-$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-disable_user_account_days_inactive =
- Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:question_text>Run the following command to see what the account lockout
duration is:
@@ -4356,12 +4345,23 @@
Is it the case that lockout_failure_attempts is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:question_text>Run the following command to see what the maximum authentication
+attempts is:
+
/usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,18 +7,6 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
- <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -31,6 +19,18 @@
<ocil:test_action_ref>ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-keystone_lockout_failure_attempts_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Number of Failed Authentication Attempts</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-container_horizon_csrf_cookie_secure_ocil:questionnaire:1">
<ocil:title>Cross-Site Request Forgery Prevention: Enable CSRF_COOKIE_SECURE (containerized deployments)</ocil:title>
<ocil:actions>
@@ -43,12 +43,6 @@
<ocil:test_action_ref>ocil:ssg-cinder_conf_file_perms_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
- <ocil:title>Set Maximum Inactivity Period</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-keystone_lockout_duration_ocil:questionnaire:1">
<ocil:title>Set Account Lockout Duration</ocil:title>
<ocil:actions>
@@ -61,9 +55,15 @@
<ocil:test_action_ref>ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
+ <ocil:questionnaire id="ocil:ssg-container_keystone_disable_user_account_days_inactive_ocil:questionnaire:1">
+ <ocil:title>Set Maximum Inactivity Period</ocil:title>
+ <ocil:actions>
+ <ocil:test_action_ref>ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1</ocil:test_action_ref>
+ </ocil:actions>
+ </ocil:questionnaire>
</ocil:questionnaires>
<ocil:test_actions>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -71,7 +71,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -79,7 +79,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -87,7 +87,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1" question_ref="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -111,7 +111,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -119,7 +119,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-keystone_lockout_duration_action:testaction:1" question_ref="ocil:ssg-keystone_lockout_duration_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -127,7 +127,7 @@
<ocil:result>FAIL</ocil:result>
</ocil:when_false>
</ocil:boolean_question_test_action>
- <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1" question_ref="ocil:ssg-container_keystone_lockout_failure_attempts_question:question:1">
+ <ocil:boolean_question_test_action id="ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1" question_ref="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
<ocil:when_true>
<ocil:result>PASS</ocil:result>
</ocil:when_true>
@@ -137,6 +137,24 @@
</ocil:boolean_question_test_action>
</ocil:test_actions>
<ocil:questions>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
+ <ocil:question_text>Run the following command to see what the account lockout
+duration is:
+
+$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+If properly configured, the output should be:
+lockout_duration=
+ Is it the case that lockout_duration is not configured properly?
+ </ocil:question_text>
+ </ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
+ <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
+following line appears:
+CSRF_COOKIE_SECURE True
+ Is it the case that CSRF_COOKIE_SECURE is set to False?
+ </ocil:question_text>
+ </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_failure_attempts_question:question:1">
<ocil:question_text>Run the following command to see what the maximum authentication
attempts is:
@@ -159,24 +177,6 @@
Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_lockout_duration_question:question:1">
- <ocil:question_text>Run the following command to see what the account lockout
-duration is:
-
-$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-lockout_duration=
- Is it the case that lockout_duration is not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-horizon_csrf_cookie_secure_question:question:1">
- <ocil:question_text>Check the file /etc/openstack-dashboard/local_settings and ensure the
-following line appears:
-CSRF_COOKIE_SECURE True
- Is it the case that CSRF_COOKIE_SECURE is set to False?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-container_horizon_csrf_cookie_secure_question:question:1">
<ocil:question_text>Check the file /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings and ensure the
following line appears:
@@ -193,17 +193,6 @@
Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----?
</ocil:question_text>
</ocil:boolean_question>
- <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
- <ocil:question_text>Run the following command to see what the maximum authentication
-attempts is:
-
-$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
-
-If properly configured, the output should be:
-disable_user_account_days_inactive =
- Is it the case that disable_user_account_days_inactive is commented out or not configured properly?
- </ocil:question_text>
- </ocil:boolean_question>
<ocil:boolean_question id="ocil:ssg-keystone_lockout_duration_question:question:1">
<ocil:question_text>Run the following command to see what the account lockout
duration is:
@@ -226,5 +215,16 @@
Is it the case that lockout_failure_attempts is commented out or not configured properly?
</ocil:question_text>
</ocil:boolean_question>
+ <ocil:boolean_question id="ocil:ssg-container_keystone_disable_user_account_days_inactive_question:question:1">
+ <ocil:question_text>Run the following command to see what the maximum authentication
+attempts is:
+
/usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-13-OSP" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat OpenStack Platform 13</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat OpenStack Platform 13. It is a rendering of
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -26791,1108 +26791,1108 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_selinuxuser_use_ssh_chroot_ocil:questionnaire:1">
+ <ocil:title>Disable the selinuxuser_use_ssh_chroot SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure yum Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_cron_system_cronjob_use_shares_ocil:questionnaire:1">
+ <ocil:title>Disable the cron_system_cronjob_use_shares SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
+ <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -26791,1108 +26791,1108 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_selinuxuser_use_ssh_chroot_ocil:questionnaire:1">
+ <ocil:title>Disable the selinuxuser_use_ssh_chroot SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure yum Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_cron_system_cronjob_use_shares_ocil:questionnaire:1">
+ <ocil:title>Disable the cron_system_cronjob_use_shares SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
+ <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,1108 +7,1108 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
- <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_logadm_exec_content_ocil:questionnaire:1">
+ <ocil:title>Enable the logadm_exec_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_logadm_exec_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_selinuxuser_use_ssh_chroot_ocil:questionnaire:1">
+ <ocil:title>Disable the selinuxuser_use_ssh_chroot SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
+ <ocil:title>Install the tmux Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1">
+ <ocil:title>Verify File Hashes with RPM</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rpm_verify_hashes_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1">
- <ocil:title>Ensure cron Is Logging To Rsyslog</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-rsyslog_cron_logging_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_crond_enabled_ocil:questionnaire:1">
- <ocil:title>Enable cron Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure yum Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_crond_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_cron_system_cronjob_use_shares_ocil:questionnaire:1">
+ <ocil:title>Disable the cron_system_cronjob_use_shares SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
- <ocil:title>Add nosuid Option to /home</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
+ <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHV-4" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Virtualization 4</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,9 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
<platform id="cpe_platform_audit">
@@ -53,29 +53,29 @@
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_yum">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:yum"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_nss-pam-ldapd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:nss-pam-ldapd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
<platform id="cpe_platform_sudo">
@@ -88,44 +88,44 @@
<fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_libuser">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:libuser"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_ntp">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:ntp"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
- <platform id="cpe_platform_yum">
+ <platform id="cpe_platform_polkit">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:yum"/>
+ <fact-ref name="cpe:/a:polkit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_sssd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_nss-pam-ldapd">
+ <platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:nss-pam-ldapd"/>
+ <fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
- <platform id="cpe_platform_polkit">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:polkit"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_libuser">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:libuser"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -133,9 +133,9 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -143,9 +143,9 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -49397,88 +49397,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -49487,322 +49469,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -49400,88 +49400,70 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1">
- <ocil:title>Install openscap-scanner Package</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openscap-scanner_installed_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1">
- <ocil:title>Disable the httpd_dontaudit_search_dirs SELinux Boolean</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
- <ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
- </ocil:actions>
- </ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
- <ocil:title>Disable debug-shell SystemD Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-grub2_no_removeable_media_ocil:questionnaire:1">
+ <ocil:title>Boot Loader Is Not Installed On Removeable Media</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-grub2_no_removeable_media_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_rpcsvcgssd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable Secure RPC Server Service (rpcsvcgssd)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_rear_installed_ocil:questionnaire:1">
- <ocil:title>Install rear Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1">
+ <ocil:title>Disable the dhcpc_exec_iptables SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_rear_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-accounts_password_pam_maxclassrepeat_ocil:questionnaire:1">
+ <ocil:title>Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
- <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_httpd_read_user_content_ocil:questionnaire:1">
+ <ocil:title>Disable the httpd_read_user_content SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_httpd_read_user_content_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
+ <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_kerberos_enabled_ocil:questionnaire:1">
- <ocil:title>Enable the kerberos_enabled SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_staff_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the staff_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_kerberos_enabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_staff_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-service_snmpd_disabled_ocil:questionnaire:1">
- <ocil:title>Disable snmpd Service</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_cryptsetup-luks_installed_ocil:questionnaire:1">
+ <ocil:title>Install cryptsetup-luks Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-service_snmpd_disabled_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
<ocil:questionnaire id="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1">
@@ -49490,322 +49472,322 @@
<ocil:test_action_ref>ocil:ssg-sebool_nagios_run_sudo_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
- <ocil:title>Record Unsuccessul Ownership Changes to Files - chown</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_rsync_anon_write_ocil:questionnaire:1">
+ <ocil:title>Disable the rsync_anon_write SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_rsync_anon_write_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_ocil:questionnaire:1">
+ <ocil:title>Limit CPU consumption of the Perf system</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-group_unique_id_ocil:questionnaire:1">
- <ocil:title>Ensure All Groups on the System Have Unique Group ID</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /home</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-group_unique_id_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1">
- <ocil:title>Disable the secure_mode_insmod SELinux Boolean</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_ocil:questionnaire:1">
+ <ocil:title>Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sebool_secure_mode_insmod_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sebool_unprivuser_use_svirt_ocil:questionnaire:1">
+ <ocil:title>Disable the unprivuser_use_svirt SELinux Boolean</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dconf_gnome_enable_smartcard_auth_ocil:questionnaire:1">
- <ocil:title>Enable the GNOME3 Login Smartcard Authentication</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_ocil:questionnaire:1">
+ <ocil:title>Record Successful Creation Attempts to Files - openat O_CREAT</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
- <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
<xccdf-1.1:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.1="http://checklists.nist.gov/xccdf/1.1" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <xccdf-1.1:status date="2022-02-28">draft</xccdf-1.1:status>
+ <xccdf-1.1:status date="2037-04-02">draft</xccdf-1.1:status>
<xccdf-1.1:title xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.1:title>
<xccdf-1.1:description xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -56,59 +56,54 @@
<cpe-lang:fact-ref name="cpe:/a:machine" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_login_defs">
- <cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:login_defs" />
- </cpe-lang:logical-test>
- </cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_audit">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:audit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_grub2">
+ <cpe-lang:platform id="cpe_platform_pam">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:grub2" />
+ <cpe-lang:fact-ref name="cpe:/a:pam" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_chrony">
+ <cpe-lang:platform id="cpe_platform_yum">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:chrony" />
+ <cpe-lang:fact-ref name="cpe:/a:yum" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sssd">
+ <cpe-lang:platform id="cpe_platform_net-snmp">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sssd" />
+ <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_pam">
+ <cpe-lang:platform id="cpe_platform_nss-pam-ldapd">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:pam" />
+ <cpe-lang:fact-ref name="cpe:/a:nss-pam-ldapd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sudo">
+ <cpe-lang:platform id="cpe_platform_gdm">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sudo" />
+ <cpe-lang:fact-ref name="cpe:/a:gdm" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_sssd-ldap">
+ <cpe-lang:platform id="cpe_platform_login_defs">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:sssd-ldap" />
+ <cpe-lang:fact-ref name="cpe:/a:login_defs" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_postfix">
+ <cpe-lang:platform id="cpe_platform_sssd">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:postfix" />
+ <cpe-lang:fact-ref name="cpe:/a:sssd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_gdm">
+ <cpe-lang:platform id="cpe_platform_sudo">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:gdm" />
+ <cpe-lang:fact-ref name="cpe:/a:sudo" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_ntp">
+ <cpe-lang:platform id="cpe_platform_sssd-ldap">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:ntp" />
+ <cpe-lang:fact-ref name="cpe:/a:sssd-ldap" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_not_s390x_arch">
@@ -116,29 +111,29 @@
<cpe-lang:fact-ref name="cpe:/a:not_s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_wifi-iface">
+ <cpe-lang:platform id="cpe_platform_ntp">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
+ <cpe-lang:fact-ref name="cpe:/a:ntp" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_libuser">
+ <cpe-lang:platform id="cpe_platform_grub2">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:libuser" />
+ <cpe-lang:fact-ref name="cpe:/a:grub2" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_yum">
+ <cpe-lang:platform id="cpe_platform_chrony">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:yum" />
+ <cpe-lang:fact-ref name="cpe:/a:chrony" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_net-snmp">
+ <cpe-lang:platform id="cpe_platform_postfix">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:net-snmp" />
+ <cpe-lang:fact-ref name="cpe:/a:postfix" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_nss-pam-ldapd">
+ <cpe-lang:platform id="cpe_platform_wifi-iface">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:nss-pam-ldapd" />
+ <cpe-lang:fact-ref name="cpe:/a:wifi-iface" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_polkit">
@@ -146,14 +141,19 @@
<cpe-lang:fact-ref name="cpe:/a:polkit" />
</cpe-lang:logical-test>
</cpe-lang:platform>
+ <cpe-lang:platform id="cpe_platform_libuser">
+ <cpe-lang:logical-test operator="OR" negate="false">
+ <cpe-lang:fact-ref name="cpe:/a:libuser" />
+ </cpe-lang:logical-test>
+ </cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_systemd">
<cpe-lang:logical-test operator="OR" negate="false">
<cpe-lang:fact-ref name="cpe:/a:systemd" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_non-uefi">
+ <cpe-lang:platform id="cpe_platform_s390x_arch">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
+ <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
</cpe-lang:logical-test>
</cpe-lang:platform>
<cpe-lang:platform id="cpe_platform_uefi">
@@ -161,9 +161,9 @@
<cpe-lang:fact-ref name="cpe:/a:uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
- <cpe-lang:platform id="cpe_platform_s390x_arch">
+ <cpe-lang:platform id="cpe_platform_non-uefi">
<cpe-lang:logical-test operator="OR" negate="false">
- <cpe-lang:fact-ref name="cpe:/a:s390x_arch" />
+ <cpe-lang:fact-ref name="cpe:/a:non-uefi" />
</cpe-lang:logical-test>
</cpe-lang:platform>
</cpe-lang:platform-specification>
RPMS.2017/scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -167,26 +167,26 @@
___QF_CHECKSUM___
/usr/share/doc/scap-security-guide 0
/usr/share/doc/scap-security-guide/guides 0
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 921aa93eaa45ac904289a1224ac62dbe170e21952d5ccebf11769c8aeaa025bf 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 008f427c128cb23219ecd351104381b3268b3104ea949fcb99c02fb47be97b6f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html ae0f4a465607b3ce626518def6f09eddf083a0dfddadcf55d7ebcc7ef59e4242 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 3e30e79f215b4c9704845ad9eb94ee884a816c56419f4d73fe3dbc90574a303f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html c688f0b5c00f82bf229aefa2e12fe06b8912dd8ecc722aae90ef430b929cadd7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 5f92502faf91bb126e031747ae1287a0e94a1d568af373b681a85bb4a60bcb01 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html d77df8228aefec8d009894bbb790978caa51318c8db252e03c25a29e5d8e52d4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html d6bc27a3e20b69efbab609b931d63868d5b37a25b20eea670a5635e4ebd51e3e 2
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-index.html 8feadd06f2ff62e540d038be69883df5f1c307f382bd2ef22a04040dd54b5212 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 3ffdf07717b773dc046ef877d69dd4a2f13a6ab4bd013b16575e802320844f06 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 3fa12873b0ddf8b0e17bf1eeea5bf3b8a18c4c85d228e5085368798d26274b75 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html e07558e111ee9696f514d15a9babcb6ede1492ad6bba3b839cd9c88482f1e431 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html c2146741a28de6043ad78bc9afde0bf8e0c1f0a1c0bcca0ab6ecc01e92436a92 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2682f0c4e95b30fcb99ba03cf8faaf2d4db998fc3c9883aaeacb3433ec2a0014 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 2da0f4bbd7f3d3b9b52e102caf1585301382c55e4188ee0bca1bf9de45ab2fac 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html e3fede24a893cf2bc3d1b575c9784e284dfd5f008781492f5499536f78ffcd0b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html d32b85e8e08d6168bbe9cd3024ba898ee456ba4ea3a58bc72138480384e0d717 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html aa0d9aac5ad1a4f0fe32689922083bf81c96bab7cd60ef7153994fdb773f8a10 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html ca9f332c17f3d9333fd8aa15d814a6e669c7c498e48b4b2904faff4aa4234073 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 4a84e4e2a2460618ba58f6ba92c56c5eb7914e2234e97488e368736c3dbc1f2b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html a6d45b05841394f3e1935d9e3bcb002750f0318422a62aba03fd6753a1e36eed 2
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-index.html 8a96bcdaaf93a334d9cfdeeb4e6b7e8f002d0e010a034757a3729c0b5a2c5f02 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 10ff24aaa737ea4e105570585145b895ee8d09379f969fb695a5dbdc6ccba4ae 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html ede61990bc6027e662f3ff392c3c3fa8cb38aa216edb5aa22258acd8172ece22 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 7c8ec10918d012e69a08e7d4c1f012fa57d7b1002f826dfad6156da966041c47 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html ea066413e18354501a50ddb48f784b72b2344f610ba0f0ce540f3fa30935d4f6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html c5ada4e5497a4a3b54712c3edfdb924643e9165f657386e590ef856595e7940b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html f6e10946d720f72d9383e0b9854d2dfb0f5e1e6dd0f380d382b5e985f221feb4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html a9ca069a7cb6cf676dc2d492151d70a132d49d71bf0226d4fbf5ddd473093f87 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html c5510b92320f8f6a8945bedb5d4510961d337e9f5e7672070e6f690a785aa50e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 71e8ef3c2422a3c06a88a215169af436efea8d7778dab1cc7ebedd2f3599b2af 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 8ea3a319fcda1af9b322bb9fd3135d72633ee32ce0743ac7c92071290bf57fc7 2
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-index.html ee88ebb127c3e014def3a9d5220f39fd4f0ffeda8c4269af69dfce0c5147aa58 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 8683234fa497c5d2cb1379a230c5ff3e1e61174faa5352f4cb20318f972d386c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html d9a078c4395a3ec777eb41bd5fef4abac29537c3cedb639047673c03dea48e6e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 37c58295a8f5c788b700fb566786b1ff34c6468e09416ffa175ef80050f35b22 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 5e325cba0632c6289deae45995cb090c30f998805bc37dadab90902ca3b2049e 2
/usr/share/doc/scap-security-guide/tables 0
/usr/share/licenses/scap-security-guide-ubuntu 0
/usr/share/licenses/scap-security-guide-ubuntu/LICENSE ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298 128
@@ -233,25 +233,25 @@
/usr/share/xml/scap/ssg/content 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 2471d6ff7a0c2de16b8760b16b5c721e691c7a3c0604f25d4d189d74873682c4 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-oval.xml e5e9192175cdb446668f507ea04989eedf607c5a0d4016da6b897996080278ce 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 468865bbdbcfa6aca95653fc397425de356bf8322cec0b1c4627b6f03cf92f1b 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 3008a4251f7b67cdfc2f15f118f0bc2579cb6248d51d93066e05942faa78c659 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 0e6e701bc00cc4fa78e3abe2b2a010390ca339625087475c6aedbf690539c91a 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml db5a1a8d99833f999a2450822101ac7e0f992a659bc5b7ae95693835a3294b09 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 95b97dde55b8bfe55b3e20188a2d63edc194e8c33543a1b86e564b8c1fdb6761 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml f9f09d591da1846adcfb033fe954fc05c6f3acbb1b80ecaae66e3524c880f227 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml cfb03a425b4e513415a4085000c6a98349c4b78db9ca5d3cf32626e32575d4b8 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 5be73d5a5ad50f56fa58c96d950f4c28aa62aebf4d0acd9559790005025d9dac 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml ac09e3e1c59e2085ae2aa8cc7a98132b0012a76d19b46cd49c14caac96bb8936 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-cpe-dictionary.xml 86672355f727e3abf517b1937b1e91f6719e0cc993ef2c25939b282424a304b4 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-cpe-oval.xml 35bc02f238dcac9ed6ec8fae912655f1d492e01e7639dd8d3a4a88655ba945a0 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml d23c4315a750cc8ef52cf241fb761ef8dbb90c8f896d9c68ae0b5af51e5ae4fb 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml cf5bc223b15334928c47bc6407533af000ee94b2f73be51c4ee472c1a08dd00c 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 078bce1e7be90a464a318725b5408d57622ee9de0a7244303a5da85d7e74715d 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml df929acdfe115b45d69104b6052d838cabb30239bcf99b1a622a95c9b45962a1 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 7137b965a747302f4e112c9d0989d35dbd1facddf79fc7c3af978e67f28124a5 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 709297485143ebb70c9e47f23eb881d7377b670614f76441e9f560b28688ffe9 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-oval.xml 34ceac54c1853a7ab3eb9a7b5d86fbb47d467d7ceb90ae69d67d8ac18ebc4d77 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 44e6d7607338a70964840fee942768dfdf8a3b27b1114acb3bbbf5b2bd9de8cd 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml c8b69a51442d37090fc9a00b6b6d086e1acc7db0cfee1cfea74ce1f1ca2d8e02 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-cpe-dictionary.xml 01f8c5a1a04774c11ecea74f61afba2b0881238f658a9419e635dfc3150653e5 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-cpe-oval.xml 0bfe16ffc0765b1926d3034dc008ec665908d5da0e873d0451ded33ec2658195 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 436203cbb7f58ae3c6a8b36294c11aa0b35ab7ec00791a510a22cac0e67171de 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml f20d87150f48897bf76e9a0d0ef9aeb3c26d3eecb90e2a6c0dd1ba3485864bf5 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 0eae347254c129ffa03d734a3fcea7bd8162d091c5dbcd4a9edfe9b8130b2ebc 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 23fab276fc470aeb7a316366932a70fef59d66c5f15479bcf354d3f0b8ca93f0 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 15101beaf94ab0102470d262c5368d2abdbf4bfdbe6313051fa577676cb8c6d3 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 0fed41cde526943d4e609900c2e8fb8e7ce992907aea3ce3f11cf46964a38a11 0
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-oval.xml 27f040a6bc4276f1e41d6ec7180bccc622c9eccff7b1dcead7589078d8ab5745 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 5defbd72c4da63c71d85489cb8df6b0e18527a96453db8fc674ebc548e0b1ec2 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml aaf193fb78011ef8e3b6780e2d22ce722aa8bc2c0643528d1c756a2615b01fa8 0
___QF_CHECKSUM___
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 16.04
<small>Group contains 19 groups and 40 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 16.04
<small>Group contains 22 groups and 46 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 16.04
<small>Group contains 9 groups and 19 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 16.04
<small>Group contains 21 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 16.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 16.04
<small>Group contains 19 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 18.04
<small>Group contains 19 groups and 40 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 18.04
<small>Group contains 22 groups and 46 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 18.04
<small>Group contains 9 groups and 19 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 18.04
<small>Group contains 21 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 18.04 LTS Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 18.04
<small>Group contains 21 groups and 71 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 18.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 18.04
<small>Group contains 19 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 1 Server Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level1_server</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 20.04
<small>Group contains 81 groups and 189 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 1 Workstation Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level1_workstation</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 20.04
<small>Group contains 78 groups and 188 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 2 Server Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level2_server</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 20.04
<small>Group contains 92 groups and 273 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 2 Workstation Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level2_workstation</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 20.04
<small>Group contains 92 groups and 275 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 20.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 20.04
<small>Group contains 22 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R1</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.60</strong></p><ul><li><strong>draft</strong>
- (as of 2022-02-28)
+ (as of 2037-04-02)
</li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>
Guide to the Secure Configuration of Ubuntu 20.04
<small>Group contains 73 groups and 172 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -12676,154 +12676,154 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
+ <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -12678,154 +12678,154 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
+ <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,154 +7,154 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
+ <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="UBUNTU-XENIAL" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Ubuntu 16.04</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -53,9 +53,9 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -68,6 +68,11 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_postfix">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
@@ -78,19 +83,9 @@
<fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_postfix">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
<platform id="cpe_platform_grub2">
@@ -103,19 +98,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13583,166 +13583,166 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
+ <ocil:title>Disable Mounting of cramfs</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -13583,166 +13583,166 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
+ <ocil:title>Disable Mounting of cramfs</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,166 +7,166 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
+ <ocil:title>Add nosuid Option to /tmp</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
+ <ocil:title>Disable Mounting of cramfs</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
+ <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
+ <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
+ <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
- <ocil:title>Set Password Maximum Age</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
- <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
+ <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
+ <ocil:title>Force frequent session key renegotiation</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
- <ocil:title>Verify User Who Owns shadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
+ <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
- <ocil:title>Remove the OpenSSH Server Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
+ <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
- <ocil:title>Ensure gnutls-utils is installed</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure rsyslog is Installed</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
+ <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
- <ocil:title>Don't target root user in the sudoers file</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="UBUNTU-BIONIC" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Ubuntu 18.04</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -53,9 +53,9 @@
<fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
<platform id="cpe_platform_login_defs">
@@ -68,6 +68,11 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_postfix">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:postfix"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:ntp"/>
@@ -78,19 +83,9 @@
<fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_postfix">
- <logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
- </logical-test>
- </platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
<platform id="cpe_platform_grub2">
@@ -103,19 +98,24 @@
<fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
+ <platform id="cpe_platform_s390x_arch">
+ <logical-test operator="OR" negate="false">
+ <fact-ref name="cpe:/a:s390x_arch"/>
+ </logical-test>
+ </platform>
<platform id="cpe_platform_uefi">
<logical-test operator="OR" negate="false">
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -23214,1402 +23214,1402 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
+ <ocil:title>Verify permissions of log files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
- <ocil:title>Verify permissions of log files</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure apt_get Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_mcafeetp_installed_ocil:questionnaire:1">
+ <ocil:title>Install McAfee Endpoint Security for Linux (ENSL)</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_mcafeetp_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
- <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_stig_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-ensure_sudo_group_restricted_ocil:questionnaire:1">
- <ocil:title>Ensure sudo group has only necessary members</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
+ <ocil:title>Disable Mounting of cramfs</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-ensure_sudo_group_restricted_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_hourly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.hourly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -23214,1402 +23214,1402 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
+ <ocil:title>Verify permissions of log files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
- <ocil:title>Verify permissions of log files</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure apt_get Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_mcafeetp_installed_ocil:questionnaire:1">
+ <ocil:title>Install McAfee Endpoint Security for Linux (ENSL)</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_mcafeetp_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
- <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_stig_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-ensure_sudo_group_restricted_ocil:questionnaire:1">
- <ocil:title>Ensure sudo group has only necessary members</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
+ <ocil:title>Disable Mounting of cramfs</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-ensure_sudo_group_restricted_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_hourly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.hourly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,1402 +7,1402 @@
<ocil:timestamp>2022-02-22T00:00:00</ocil:timestamp>
</ocil:generator>
<ocil:questionnaires>
- <ocil:questionnaire id="ocil:ssg-set_password_hashing_algorithm_logindefs_ocil:questionnaire:1">
- <ocil:title>Set Password Hashing Algorithm in /etc/login.defs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-service_sshd_enabled_ocil:questionnaire:1">
+ <ocil:title>Enable the OpenSSH Service</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-service_sshd_enabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
- <ocil:title>Resolve information before writing to audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
- <ocil:title>Uninstall talk Package</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
+ <ocil:title>Remove telnet Clients</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_talk_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
- <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-vlock_installed_ocil:questionnaire:1">
+ <ocil:title>Check that vlock is installed to allow session locking</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-vlock_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
- <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
+ <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
- <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_insmod_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - insmod</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
- <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
+ <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
- <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
+ <ocil:title>Verify permissions of log files</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_weekly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.weekly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+ <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_permissions_cron_weekly_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
- <ocil:title>A remote time server for Chrony is configured</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
+ <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
- <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
+ <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-grub2_audit_argument_ocil:questionnaire:1">
- <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-enable_dconf_user_profile_ocil:questionnaire:1">
+ <ocil:title>Configure GNOME3 DConf User Profile</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-grub2_audit_argument_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-enable_dconf_user_profile_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
- <ocil:title>Verify permissions of log files</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_ocil:questionnaire:1">
+ <ocil:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-package_telnet_removed_ocil:questionnaire:1">
- <ocil:title>Remove telnet Clients</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
+ <ocil:title>Install the OpenSSH Server Package</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-package_telnet_removed_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
- <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_xorg-x11-server-common_removed_ocil:questionnaire:1">
+ <ocil:title>Remove the X Windows Package Group</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
- <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-clean_components_post_updating_ocil:questionnaire:1">
+ <ocil:title>Ensure apt_get Removes Previous Package Versions</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-clean_components_post_updating_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
- <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
+ <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
- <ocil:title>Disable SSH TCP Forwarding</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_mcafeetp_installed_ocil:questionnaire:1">
+ <ocil:title>Install McAfee Endpoint Security for Linux (ENSL)</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-package_mcafeetp_installed_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
- <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
+ <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
- <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_stig_ocil:questionnaire:1">
+ <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-ensure_sudo_group_restricted_ocil:questionnaire:1">
- <ocil:title>Ensure sudo group has only necessary members</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
+ <ocil:title>Disable Mounting of cramfs</ocil:title>
<ocil:actions>
- <ocil:test_action_ref>ocil:ssg-ensure_sudo_group_restricted_action:testaction:1</ocil:test_action_ref>
+ <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
</ocil:actions>
</ocil:questionnaire>
- <ocil:questionnaire id="ocil:ssg-file_permissions_cron_hourly_ocil:questionnaire:1">
- <ocil:title>Verify Permissions on cron.hourly</ocil:title>
+ <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
+ <ocil:title>Ensure nss-tools is installed</ocil:title>
<ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="UBUNTU_20-04" resolved="1" xml:lang="en-US" style="SCAP_1.1">
- <status date="2022-02-28">draft</status>
+ <status date="2037-04-02">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Ubuntu 20.04</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -43,9 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform-specification xmlns="http://cpe.mitre.org/language/2.0">
- <platform id="cpe_platform_login_defs">
+ <platform id="cpe_platform_machine">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:login_defs"/>
+ <fact-ref name="cpe:/a:machine"/>
</logical-test>
</platform>
<platform id="cpe_platform_audit">
@@ -53,19 +53,19 @@
<fact-ref name="cpe:/a:audit"/>
</logical-test>
</platform>
- <platform id="cpe_platform_machine">
+ <platform id="cpe_platform_pam">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:machine"/>
+ <fact-ref name="cpe:/a:pam"/>
</logical-test>
</platform>
- <platform id="cpe_platform_chrony">
+ <platform id="cpe_platform_gdm">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:chrony"/>
+ <fact-ref name="cpe:/a:gdm"/>
</logical-test>
</platform>
- <platform id="cpe_platform_grub2">
+ <platform id="cpe_platform_login_defs">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:grub2"/>
+ <fact-ref name="cpe:/a:login_defs"/>
</logical-test>
</platform>
<platform id="cpe_platform_sudo">
@@ -73,29 +73,29 @@
<fact-ref name="cpe:/a:sudo"/>
</logical-test>
</platform>
- <platform id="cpe_platform_pam">
+ <platform id="cpe_platform_grub2">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:pam"/>
+ <fact-ref name="cpe:/a:grub2"/>
</logical-test>
</platform>
- <platform id="cpe_platform_wifi-iface">
+ <platform id="cpe_platform_chrony">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:wifi-iface"/>
+ <fact-ref name="cpe:/a:chrony"/>
</logical-test>
</platform>
- <platform id="cpe_platform_ntp">
+ <platform id="cpe_platform_postfix">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:ntp"/>
+ <fact-ref name="cpe:/a:postfix"/>
</logical-test>
</platform>
- <platform id="cpe_platform_gdm">
+ <platform id="cpe_platform_wifi-iface">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:gdm"/>
+ <fact-ref name="cpe:/a:wifi-iface"/>
</logical-test>
</platform>
- <platform id="cpe_platform_postfix">
+ <platform id="cpe_platform_ntp">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:postfix"/>
+ <fact-ref name="cpe:/a:ntp"/>
</logical-test>
</platform>
<platform id="cpe_platform_systemd">
@@ -103,14 +103,14 @@
<fact-ref name="cpe:/a:systemd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_non-uefi">
+ <platform id="cpe_platform_sssd">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:non-uefi"/>
+ <fact-ref name="cpe:/a:sssd"/>
</logical-test>
</platform>
- <platform id="cpe_platform_sssd">
+ <platform id="cpe_platform_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:sssd"/>
+ <fact-ref name="cpe:/a:s390x_arch"/>
</logical-test>
</platform>
<platform id="cpe_platform_uefi">
@@ -118,14 +118,14 @@
<fact-ref name="cpe:/a:uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_not_s390x_arch">
+ <platform id="cpe_platform_non-uefi">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:not_s390x_arch"/>
+ <fact-ref name="cpe:/a:non-uefi"/>
</logical-test>
</platform>
- <platform id="cpe_platform_s390x_arch">
+ <platform id="cpe_platform_not_s390x_arch">
<logical-test operator="OR" negate="false">
- <fact-ref name="cpe:/a:s390x_arch"/>
+ <fact-ref name="cpe:/a:not_s390x_arch"/>
</logical-test>
</platform>
</platform-specification>
overalldiffered=4 (not bit-by-bit identical)
overall=1