Rule
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- [ref] | The sudo NOEXEC tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the NOEXEC tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | Identifiers:
- CCE-91494-5 References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 67 groups and 287 rules | Group
@@ -133,15 +133,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -159,6 +151,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -181,18 +181,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,22 +295,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -441,33 +441,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | Identifiers:
CCE-83048-9 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r902843_rule | | |
| Rule
Configure AIDE to Verify Access Control Lists (ACLs)
[ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
@@ -525,35 +525,7 @@
/etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | Identifiers:
CCE-83150-3 References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-12-010520, SV-217150r880939_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 53 groups and 158 rules | Group
@@ -133,15 +133,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -159,6 +151,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -181,18 +181,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -405,15 +405,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -428,6 +420,14 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -437,27 +437,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-91492-9 References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
- CCE-91493-7 References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
+ CCE-91493-7 References:
+ BP28(R58) | |
| Rule
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- [ref] | The sudo NOEXEC tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the NOEXEC tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | Identifiers:
- CCE-91494-5 References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 25 groups and 43 rules | Group
@@ -109,22 +109,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | Identifiers:
CCE-83013-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-12-010110, SV-217112r854084_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
- CCE-83012-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-12-010110, SV-217112r854084_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
+ CCE-83012-5 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-12-010110, SV-217112r854084_rule | |
| Group
Updating Software
Group contains 8 rules | [ref]
@@ -255,9 +255,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-zypper install -y "dnf-automatic"
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -269,6 +267,8 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+zypper install -y "dnf-automatic"
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | Identifiers and References | Identifiers:
CCE-91474-7 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | Identifiers:
+ CCE-91478-8 References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | Identifiers:
- CCE-91478-8 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 112 groups and 357 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -288,22 +288,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -425,22 +425,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | |
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -617,69 +617,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-92346-6 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 100 groups and 285 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -288,22 +288,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -425,22 +425,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | |
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -567,69 +567,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-92346-6 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 93 groups and 276 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -288,22 +288,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -425,22 +425,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | |
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -567,69 +567,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-92346-6 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 109 groups and 353 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -288,22 +288,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -425,22 +425,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | |
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -617,69 +617,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-92346-6 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- Web Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 89 groups and 213 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-91632-0 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -346,32 +346,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-91634-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -478,15 +478,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -504,6 +496,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -526,18 +526,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -640,22 +640,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 61 groups and 150 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-91632-0 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -346,32 +346,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-91634-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -478,15 +478,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -504,6 +496,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -526,18 +526,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -640,22 +640,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- File Permissions and Masks
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 4 groups and 3 rules | Group
@@ -114,8 +114,7 @@
[ref] | To properly set the group owner of /etc/passwd , run the command: $ sudo chgrp root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | Identifiers and References | Identifiers:
CCE-91627-0 References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd , run the command: $ sudo chown root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | Identifiers and References | Identifiers:
CCE-91666-8 References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify Permissions on passwd File
[ref] |
@@ -202,13 +202,7 @@
accounts on the system and associated information, and protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | Identifiers and References | Identifiers:
CCE-91452-3 References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
|
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 82 groups and 240 rules | Group
@@ -122,15 +122,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -148,6 +140,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -170,18 +170,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -283,66 +283,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-83204-8 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r877393_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 66 groups and 233 rules | Group
@@ -133,15 +133,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -159,6 +151,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -181,18 +181,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -418,15 +418,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -441,6 +433,14 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -450,27 +450,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
- CCE-91185-9 References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
+ BP28(R58) | |
| Rule
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- [ref] | The sudo NOEXEC tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the NOEXEC tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | Identifiers:
- CCE-91186-7 References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 67 groups and 286 rules | Group
@@ -133,15 +133,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -159,6 +151,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -181,18 +181,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,22 +295,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010420, 1.4.2, SV-234851r902851_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -431,33 +431,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | Identifiers:
CCE-91214-7 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, SV-234864r902854_rule | | |
| Rule
Configure AIDE to Verify Access Control Lists (ACLs)
[ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
@@ -517,35 +517,7 @@
/etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | Identifiers:
CCE-85623-7 References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040040, SV-234986r880968_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 53 groups and 157 rules | Group
@@ -133,15 +133,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -159,6 +151,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -181,18 +181,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -405,15 +405,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -428,6 +420,14 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -437,27 +437,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
- CCE-91185-9 References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
+ BP28(R58) | |
| Rule
- Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- [ref] | The sudo NOEXEC tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the NOEXEC tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | Identifiers:
- CCE-91186-7 References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 25 groups and 43 rules | Group
@@ -109,22 +109,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | Identifiers:
CCE-83291-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
- CCE-85663-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
+ CCE-85663-3 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule | |
| Group
Updating Software
Group contains 8 rules | [ref]
@@ -255,9 +255,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-zypper install -y "dnf-automatic"
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -269,6 +267,8 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+zypper install -y "dnf-automatic"
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | Identifiers and References | Identifiers:
CCE-91165-1 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | Identifiers:
+ CCE-91166-9 References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | Identifiers:
- CCE-91166-9 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 115 groups and 375 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Systemd Timer Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -276,46 +276,7 @@
changes a systemd service to run the check and a systemd timer to take care
of periodical execution of that systemd service should be defined. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer | Identifiers and References | Identifiers:
CCE-92516-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -453,22 +453,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 103 groups and 302 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Systemd Timer Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -276,46 +276,7 @@
changes a systemd service to run the check and a systemd timer to take care
of periodical execution of that systemd service should be defined. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer | Identifiers and References | Identifiers:
CCE-92516-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -453,22 +453,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 96 groups and 293 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Systemd Timer Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -276,46 +276,7 @@
changes a systemd service to run the check and a systemd timer to take care
of periodical execution of that systemd service should be defined. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer | Identifiers and References | Identifiers:
CCE-92516-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -453,22 +453,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 112 groups and 371 rules | Group
@@ -126,15 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -152,6 +144,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,18 +174,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Systemd Timer Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -276,46 +276,7 @@
changes a systemd service to run the check and a systemd timer to take care
of periodical execution of that systemd service should be defined. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer | Identifiers and References | Identifiers:
CCE-92516-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -453,22 +453,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.6.4 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 138 rules | Group
@@ -141,16 +141,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-85788-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -334,32 +334,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-85782-1 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -484,25 +484,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | Identifiers:
CCE-85776-3 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -557,11 +557,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-85795-3 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093 | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -659,69 +659,7 @@
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | Identifiers:
CCE-85777-1 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 103 groups and 262 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-85788-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -346,32 +346,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-85782-1 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -478,15 +478,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -504,6 +496,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -526,18 +526,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -640,22 +640,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010420, 1.4.2, SV-234851r902851_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 63 groups and 153 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-85788-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -346,32 +346,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-85782-1 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -478,15 +478,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -504,6 +496,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -526,18 +526,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -640,22 +640,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010420, 1.4.2, SV-234851r902851_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- NFS and RPC
- Network Time Protocol
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 67 groups and 202 rules | Group
@@ -124,15 +124,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -150,6 +142,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -172,66 +172,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r877393_rule | | |
| Rule
Configure Systemd Timer Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -320,46 +320,7 @@
changes a systemd service to run the check and a systemd timer to take care
of periodical execution of that systemd service should be defined. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer | Identifiers and References | Identifiers:
CCE-92516-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 51 groups and 162 rules | Group
@@ -127,66 +127,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r877393_rule | | |
| Rule
Configure Systemd Timer Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -275,46 +275,7 @@
changes a systemd service to run the check and a systemd timer to take care
of periodical execution of that systemd service should be defined. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer | Identifiers and References | Identifiers:
CCE-92516-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Web Server
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 44 groups and 110 rules | Group
@@ -209,10 +209,7 @@
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | Identifiers and References | Identifiers:
CCE-83261-8 References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, SLES-15-010010, 1.9, SV-234802r622137_rule | | |
| Group
Account and Access Control
Group contains 6 groups and 7 rules | [ref]
@@ -425,264 +425,7 @@
account allows the user to determine if any unauthorized activity has occurred and gives them
an opportunity to notify administrators. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_display_login_attempts | Identifiers and References | Identifiers:
CCE-85560-1 References:
- 1, 12, 15, 16, 5.5.2, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0582, 0584, 05885, 0586, 0846, 0957, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, Req-10.2.4, 10.2.1.4, SRG-OS-000480-GPOS-00227, SLES-15-020080, SV-234873r858542_rule | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 83 groups and 242 rules | Group
@@ -122,15 +122,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -148,6 +140,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -170,18 +170,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -283,66 +283,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r877393_rule | | Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: Ensure aide is installed
package:
name: '{{ item }}'
state: present
@@ -420,6 +361,65 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -45,7 +45,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -88,35 +88,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -124,53 +113,44 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
-
-
+
@@ -178,29 +158,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -208,45 +189,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -45,7 +45,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -88,35 +88,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -124,53 +113,44 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
-
-
+
@@ -178,29 +158,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -208,45 +189,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,82 +7,70 @@
2023-10-17T00:00:00
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Enable auditd Service
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Enable TCP/IP syncookie support
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Harden SSH client Crypto Policy
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Disable Host-Based Authentication
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
+
Configure auditd Disk Error Action on Disk Error
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
-
-
- Ensure /var/log Located On Separate Partition
-
- ocil:ssg-partition_for_var_log_action:testaction:1
-
-
-
- Harden SSH client Crypto Policy
-
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Use Centralized and Automated Authentication
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable support for /proc/kkcore
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
@@ -91,364 +79,358 @@
ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Disable SSH Access via Empty Passwords
-
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
-
-
-
- Specify the hash to use when signing modules
+
+ Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Configure auditd Number of Logs Retained
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
-
- Ensure that Root's Path Does Not Include World or Group-Writable Directories
+
+ Configure the confidence in TPM for entropy
- ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1
+ ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1
-
- Verify Permissions on SSH Server Public *.pub Key Files
+
+ Enable cron Service
- ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
+ ocil:ssg-service_cron_enabled_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Disable core dump backtraces
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-coredump_disable_backtraces_action:testaction:1
-
- Do Not Allow SSH Environment Options
+
+ Resolve information before writing to audit logs
- ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchmodat
+
+ Verify User Who Owns gshadow File
- ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1
+ ocil:ssg-file_owner_etc_gshadow_action:testaction:1
-
- Verify User Who Owns Backup gshadow File
+
+ Require modules to be validly signed
- ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
-
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -43,35 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -79,53 +68,44 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
-
-
+
@@ -133,29 +113,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -163,45 +144,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -37,7 +37,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -85,15 +85,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -101,59 +107,50 @@
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -162,215 +159,218 @@
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -39,7 +39,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -87,15 +87,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -103,59 +109,50 @@
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -164,215 +161,218 @@
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,280 +7,280 @@
2023-10-17T00:00:00
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Uninstall nfs-utils Package
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Set Existing Passwords Warning Age
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure real-time clock is set to UTC
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-ensure_rtc_utc_configuration_action:testaction:1
-
- Enable auditd Service
+
+ Ensure GPG keys are configured
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-ensure_GPG_keys_are_configured_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Verify Permissions of Local Logs of audit Tools
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-permissions_local_audit_binaries_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Enable TCP/IP syncookie support
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Ensure the libaudit1 package as a part of audit Subsystem is Installed
+
+ Harden SSH client Crypto Policy
- ocil:ssg-package_audit-libs_installed_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- All Interactive Users Must Have A Home Directory Defined
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Install SuSEfirewall2 Package
+
+ Disable Host-Based Authentication
- ocil:ssg-package_SuSEfirewall2_installed_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Verify that system commands files are group owned by root or a system account
+
+ Uninstall rsh Package
- ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement
+
+ Ensure Software Patches Installed
- ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
+
+ Configure dnf-automatic to Install Only Security Updates
- ocil:ssg-partition_for_var_log_action:testaction:1
+ ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1
-
- Harden SSH client Crypto Policy
+
+ Remove User Host-Based Authentication Files
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-no_user_host_based_files_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Enable logrotate Timer
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -48,15 +48,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -64,59 +70,50 @@
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -125,215 +122,218 @@
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -37,7 +37,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -85,15 +85,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -101,49 +107,31 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -151,190 +139,189 @@
-
+
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -39,7 +39,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -87,15 +87,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -103,49 +109,31 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -153,190 +141,189 @@
-
+
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,280 +7,274 @@
2023-10-17T00:00:00
-
- Record Unsuccessful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Uninstall nfs-utils Package
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Set Existing Passwords Warning Age
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Enable auditd Service
+
+ Ensure a Table Exists for Nftables
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-set_nftables_table_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Ensure real-time clock is set to UTC
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-ensure_rtc_utc_configuration_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Ensure GPG keys are configured
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-ensure_GPG_keys_are_configured_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Ensure the libaudit1 package as a part of audit Subsystem is Installed
+
+ Verify Permissions of Local Logs of audit Tools
- ocil:ssg-package_audit-libs_installed_action:testaction:1
+ ocil:ssg-permissions_local_audit_binaries_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Enable TCP/IP syncookie support
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Harden SSH client Crypto Policy
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure firewall rules exist for all open ports
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-ensure_firewall_rules_for_open_ports_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- All Interactive Users Must Have A Home Directory Defined
+
+ Disable Host-Based Authentication
- ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Use Kerberos Security on All Exports
+
+ Uninstall rsh Package
- ocil:ssg-use_kerberos_security_all_exports_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Verify that system commands files are group owned by root or a system account
+
+ Ensure Software Patches Installed
- ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Configure dnf-automatic to Install Only Security Updates
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -48,15 +48,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -64,49 +70,31 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -114,190 +102,189 @@
-
+
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
+
RPMS.2017/scap-security-guide-debian-0.1.70-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.70-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.70-0.0.noarch.rpm to scap-security-guide-debian-0.1.70-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -147,4 +147,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 7c2c9ba66fc86a55253042667d5ddae2e97e4d90b716f2c6d2a5e46c61b1bccd 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html fc27307e7176ff652ad99ceb1cf49926eacc7157f17602893609d759e6c28277 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html bcf7fd8f56ee9b242543790512f47633febfcebbccd226ae8a8cce8533c69717 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html a6b5d43356f80969009f8ec68d79341d5c298f9f4cd9c5eef5979326b66d5ea2 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html f44e3fbf1c9592db39e6cdd6e292f41ef06bc56d22803547e36a2cbba0c919cc 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 611096c6e39b97ef053a0414293c92c3f0404d5ea6b34f42faaa6e0e6d242194 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html b6af261466772f662d87c240e7921f4230580da678aaf1c5e6b02fe97176d952 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 1df3166c8137847ab7d50a3b92ceca3a0b4ceff2e50c8ada67856c68e6163ecc 2
@@ -152,5 +152,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 6ad4ab3c6988870ab76063587b53b6b221042ac257c428176102d7ec9badef1a 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html e691239ba9c02a353f5cd9e2e9d8fa3d7f85599c9b8ec67600a9ceaf3c9a6040 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html fda685e81c8e492634af27ecab54b9721dbac57eea8d9318c6b91c8102453662 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html c33b444b2dabaf41beed588c2ba113998ce066fdb715fc5d71abffcba6d0af67 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 642d9172a50227bc8f474bf14d62b968be72c2a8b228e722a9ae4019fb577756 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 1b54b80b2c0e7b6fe3c2e020be3fdf414f4c342283b01303c9097fe4ec53d186 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html b9cace81120887b216db82407a07184f802ed388eac1e5e50a11f3cc543fd52c 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 454276387da4bbdce6aa25e01a954be4711ea5f0933ec490f5203c01497f71ba 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html b9df855b43d359add56dfc607ca530ebea724a70e7271dfe82319e7a296096ee 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 4cf44c36b25da4a848b03606815e4a0d2aa9a8fe8085ea59541fc82e8d2d988a 2
@@ -158 +158 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 76f2063ad5a2e99fe21b49c8c99f1eec4de0b50b7723692430afe38a2e68e44b 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html bc622cf89b38b564ee09c5228408b3d11a182023c8fb179734936cc400086a64 2
@@ -191,3 +191,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 8bd7ae2afa284fd82a69c624c64c373228c486b18b0d54c43b3a6c9c08244778 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 5a1b9f8ec3c5707806ed91bbccaded29eae255e188855f0a256bda33eb63055f 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml e73ca4edc6b5ce9dd6040168d1b10eee00309571bfd40fdb06c00ad7164e5124 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml fb1e3cdbaf81d4d24791f1a3a6103c14690abe59616da1e6b20254832d2e639d 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 95560b90ade1a1930baa461da966aca7805464ffb5d1a5d6cb3aa54445c47538 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 7a5139dcddc1e3a4a5360ea40530a3162776ddff7b0da7e054bea44dcf0de9d9 0
@@ -195 +195 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml e07ae91fd8013cc125b96fb18bf1f035c0fefe8fdf49b9b6a275f6a704b5a0c4 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 6914d4fe87dbbdf0cdc93fe12e1ad4105e1deac13e2f66b8a4137986ac3e1035 0
@@ -198,3 +198,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2e6ee416f7992836b98eb83b20cecb97f9cdc04861f35037fea3ff7d81d5c35a 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 583b2542b1442e6dd9cb96ff491fb209390b70c17f2e4af35005837815170b09 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml d9378add1d5dee14dad7fc4c25db458012e3482a5df8337c1e359a567317627c 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml f0d65e05c5910fd8a01b604abee779858e8b8029cba040cbae4063da901606ca 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 483ec1f1ce8501c9a24407772ce843fd005be2360fc980523fec7977c0ac2594 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 47c2aec9c5ec865b1cd0fc9caef711486443ddd0c4317c314b03bd522a6e5448 0
@@ -202 +202 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml d024b436331dd21d61b0c3ae76112d8669f81bd3980efb9b0b5c149da6aed5ae 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 7eb4bff0a4916ab8bc16a376f107f7123fa583eb50dc3405b34377330f9de724 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 10
Group contains 20 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -333,109 +333,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 10
Group contains 23 groups and 50 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -560,109 +560,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
ChecklistGroup
Guide to the Secure Configuration of Debian 10
Group contains 11 groups and 24 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -415,8 +415,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group , run the command: $ sudo chgrp root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow , run the command: $ sudo chgrp shadow /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd , run the command: $ sudo chgrp root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow , run the command: $ sudo chgrp shadow /etc/shadow | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group , run the command: $ sudo chown root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns gshadow File
[ref] | To properly set the owner of /etc/gshadow , run the command: $ sudo chown root /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd , run the command: $ sudo chown root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 10
Group contains 22 groups and 49 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -539,109 +539,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 10
Group contains 19 groups and 44 rules | Group
@@ -415,109 +415,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | | |
| Rule
- Ensure Log Files Are Owned By Appropriate User
- [ref] | The owner of all log files written by
- rsyslog should be
-
- adm .
-
-These log files are determined by the second part of each Rule line in
- /etc/rsyslog.conf and typically all appear in /var/log .
-For each log file LOGFILE referenced in /etc/rsyslog.conf ,
-run the following command to inspect the file's owner:
- $ ls -l LOGFILE
-If the owner is not
-
- adm ,
-
-run the following command to
-correct this:
-
- $ sudo chown adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Log files should be
-protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | |
| Rule
+ Ensure Log Files Are Owned By Appropriate User
+ [ref] | The owner of all log files written by
+ rsyslog should be
+
+ adm .
+
+These log files are determined by the second part of each Rule line in
+ /etc/rsyslog.conf and typically all appear in /var/log .
+For each log file LOGFILE referenced in /etc/rsyslog.conf ,
+run the following command to inspect the file's owner:
+ $ ls -l LOGFILE
+If the owner is not
+
+ adm ,
+
+run the following command to
+correct this:
+
+ $ sudo chown adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Log files should be
+protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership | Identifiers and References | References:
+ BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 11
Group contains 20 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -333,109 +333,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 11
Group contains 23 groups and 50 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -560,109 +560,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
ChecklistGroup
Guide to the Secure Configuration of Debian 11
Group contains 11 groups and 24 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -415,8 +415,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group , run the command: $ sudo chgrp root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow , run the command: $ sudo chgrp shadow /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd , run the command: $ sudo chgrp root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow , run the command: $ sudo chgrp shadow /etc/shadow | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group , run the command: $ sudo chown root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns gshadow File
[ref] | To properly set the owner of /etc/gshadow , run the command: $ sudo chown root /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd , run the command: $ sudo chown root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 11
Group contains 22 groups and 49 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -539,109 +539,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Debian 11
Group contains 19 groups and 44 rules | Group
@@ -415,109 +415,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | | |
| Rule
- Ensure Log Files Are Owned By Appropriate User
- [ref] | The owner of all log files written by
- rsyslog should be
-
- adm .
-
-These log files are determined by the second part of each Rule line in
- /etc/rsyslog.conf and typically all appear in /var/log .
-For each log file LOGFILE referenced in /etc/rsyslog.conf ,
-run the following command to inspect the file's owner:
- $ ls -l LOGFILE
-If the owner is not
-
- adm ,
-
-run the following command to
-correct this:
-
- $ sudo chown adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Log files should be
-protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | |
| Rule
+ Ensure Log Files Are Owned By Appropriate User
+ [ref] | The owner of all log files written by
+ rsyslog should be
+
+ adm .
+
+These log files are determined by the second part of each Rule line in
+ /etc/rsyslog.conf and typically all appear in /var/log .
+For each log file LOGFILE referenced in /etc/rsyslog.conf ,
+run the following command to inspect the file's owner:
+ $ ls -l LOGFILE
+If the owner is not
+
+ adm ,
+
+run the following command to
+correct this:
+
+ $ sudo chown adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Log files should be
+protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership | Identifiers and References | References:
+ BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Remediation Ansible snippet ⇲Complexity: | low |
---|
Disruption: | medium |
---|
Strategy: | configure |
---|
- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration
facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -76,35 +76,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,53 +101,49 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
@@ -166,29 +151,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -196,50 +182,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -76,35 +76,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,53 +101,49 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
@@ -166,29 +151,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -196,50 +182,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,88 +7,76 @@
2023-10-17T00:00:00
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Enable auditd Service
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Harden SSH client Crypto Policy
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Disable Host-Based Authentication
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
+
Configure auditd Disk Error Action on Disk Error
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
-
-
- Ensure /var/log Located On Separate Partition
-
- ocil:ssg-partition_for_var_log_action:testaction:1
-
-
-
- Harden SSH client Crypto Policy
-
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Use Centralized and Automated Authentication
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable support for /proc/kkcore
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
@@ -97,394 +85,394 @@
ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Disable SSH Access via Empty Passwords
+
+ Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Configure auditd Number of Logs Retained
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Configure the confidence in TPM for entropy
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1
-
- Ensure that Root's Path Does Not Include World or Group-Writable Directories
+
+ Enable cron Service
- ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1
+ ocil:ssg-service_cron_enabled_action:testaction:1
-
- Verify Permissions on SSH Server Public *.pub Key Files
+
+ Disable core dump backtraces
- ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
+ ocil:ssg-coredump_disable_backtraces_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Resolve information before writing to audit logs
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Do Not Allow SSH Environment Options
+
+ Verify User Who Owns gshadow File
- ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1
+ ocil:ssg-file_owner_etc_gshadow_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchmodat
+
+ Require modules to be validly signed
- ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -43,35 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -79,53 +68,49 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
@@ -133,29 +118,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -163,50 +149,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -76,35 +76,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,53 +101,49 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
@@ -166,29 +151,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -196,50 +182,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -76,35 +76,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,53 +101,49 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
@@ -166,29 +151,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -196,50 +182,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,88 +7,76 @@
2023-10-17T00:00:00
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Enable auditd Service
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Harden SSH client Crypto Policy
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Disable Host-Based Authentication
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
+
Configure auditd Disk Error Action on Disk Error
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
-
-
- Ensure /var/log Located On Separate Partition
-
- ocil:ssg-partition_for_var_log_action:testaction:1
-
-
-
- Harden SSH client Crypto Policy
-
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Use Centralized and Automated Authentication
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable support for /proc/kkcore
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
@@ -97,394 +85,394 @@
ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Disable SSH Access via Empty Passwords
+
+ Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Configure auditd Number of Logs Retained
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Configure the confidence in TPM for entropy
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1
-
- Ensure that Root's Path Does Not Include World or Group-Writable Directories
+
+ Enable cron Service
- ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1
+ ocil:ssg-service_cron_enabled_action:testaction:1
-
- Verify Permissions on SSH Server Public *.pub Key Files
+
+ Disable core dump backtraces
- ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
+ ocil:ssg-coredump_disable_backtraces_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Resolve information before writing to audit logs
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Do Not Allow SSH Environment Options
+
+ Verify User Who Owns gshadow File
- ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1
+ ocil:ssg-file_owner_etc_gshadow_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchmodat
+
+ Require modules to be validly signed
- ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_force_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -43,35 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -79,53 +68,49 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
@@ -133,29 +118,30 @@
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -163,50 +149,64 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
RPMS.2017/scap-security-guide-redhat-0.1.70-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.70-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.70-0.0.noarch.rpm to scap-security-guide-redhat-0.1.70-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -821,13 +821,13 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html a3b02a9b2daa451a15f825ff296368b41557b42afa291d99921ee0c25e27cdd7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html d0275c678c3f5bbcf3f4616efb7cd1b3abdd76eabe891abed5438401eef76970 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html 353d572c600f0d779ce9bc7f31a15faa41c077d67a430c5f1936698e8368027e 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html a4f094c5462995480cf56ef38b7237b90c3b218fdcf47b524f7e72268397a673 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html a66b27b2c5d62e347ee883494c75ddd34ce3bc04e50fa30766995a1a5afada73 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html a003346d33980bb5e03469403c3da7ac97382c7e399091aa4b35c4f228947749 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html 74664741ce9790e912c3cdc0e949566640ad6b335e04e480a8de74e33a7fd8af 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html c6cbdf3825afcc73e7c96c2709516de34e0a1d91c475516949385903e74cd513 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html 231a176b03b558b77c00a7e7d3e51887984e7094c587167b8125024d1c69cad0 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html 042bc37eed5bac26ae2a0dac67eb7ddef0737f0c87244034032e68d0bd32e469 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html 8975aca76b45619827e18a93e10c9e856c356d688e7761431d57d358d5e17a54 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html ca561a31afa4331f10e9f06c50ba82a27cc8114a4f3e0049407475d6247bbac3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html a5b1a8fe51f73e0f03bd777c932510049acd629511db746b1ce7b5e8964068db 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 731501b2e86e6a08af5aeaae75e0ead548ae0bd80a429e05000b920a0abf3bf0 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html 0fd652f4e2a5f5904ed187b45202d9e4e4a3041ac3fc16011820424a9b142513 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html e59e02f727991d1da1abe2e373ef076cd3d18ca4b3c00eb18a60f8406cd58341 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html 8809db2c248d49dbdb906cdda77e5a6e5a6cd375d67163949c2f2dfeab3e74d4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html cc444dc5c5e144693452f34ad4a4977e8c715001385421b83b2681b72fd4b90f 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html 45f1f372fa487f20f489cb3224e1d11adcc7f4b6c5d0736f35c9c980039cab59 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html 01d59006a4c289a013a35925cdf2c0c10cced6b9f70a5744e230abfd836cd35c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html f91fc4bff7ec4530cbc9e99fd0f01ac2343c9244d78750273902cbda04302ecd 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html 13ede0f6dd94651d25dce5afe9f79baf324639dc1d2a5e79592c364b0f80a21c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html 2657ac47626e4d8dd96db4bd7749c9d7d4c303b4141d90512e222205695f85f2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html 0990f71f934a6c2c90a63d42b04ca6e4744e23cccd90ee9e107b0a55ac5836d3 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html 24350b1fc311d1c95a1a43bef7dcf7f7f62469da270c1766457c4cc3c8d80c63 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html fa18a0b9cccf18bfb0286e68a5c4a301526b2ea0a7e1f13073adc9d5e1f1beb9 2
@@ -835,21 +835,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html fb97a71c9ba822506cf5c8b1a2256ed8924f6bccb7e46ec613977d3fbd3fb27b 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html 28b15186c59bfc94a5016bfa331c70e3cf643292584e931cb5c1ef5afa60b822 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 7bc051878dfdd9b1e65900ae38bc6a88e9faf4b07ee61c29079fb50ceb291419 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html 20887a2d4fb6b7907f1cc5de09b2f02fa317f51958a089ffe19d452cc8f6f9ec 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html a50188e86c7c685a71a30cd10eadde64be1f08a1cf53343556d81bcc49f2c049 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html ced2379266c0bdab600bdc2997eb70359ac665956531a9b3f675a21b25e294f7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html df171722ad2726b89d9038112c6b03fd6f9b2b7f1360c6bbc6bef0569f2b93e6 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html a0e55243583e46d4c62cdf9e8d390af9b6f08af2284a13dee58fb1da52551c15 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 3aac0fd14482e9075890e08e39e48acb90fc577b233df6cd3b3625facd3f06f7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 65b34177cfaf1747ec88712fc7e95161e82c9261ddf40f46a76bc075111f8e17 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html b150058016e9ca962268278d1e9981c39360b695afb05a97840715dcbc41579b 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 777418870fde8a1cd56a059dc7ffbcccf62732e398f06e5e4ac243351709b444 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 4e8a26482e2a9d7c644db6ae7e76faa44fcb5e67c9dd19b5723a43e8887b9200 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 45734397fccde14da0c47d89e462850dde944b289f9def7c4c868dcb28a87f90 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html f8f7e428a5af3e8cd7411e06b106242b06537fef0d6104058d0b497928fdc68d 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html bc88c8db98ebe88516c25b39cde5a85e706eccd931716d457683cc1cb3fdadd1 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 79f21807b52c32a455b6e8a9cf98be67caae5642d8af697fb385fdb6c9ea59c7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html b40c4f39c18ddd140140fcc84f5817b4b1ad3c9b98ced0f096a2bc77af665747 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 11435291c1ee27ed97a0913a4dbe3425e507bd40e856a3f798ce4932a23f88d3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html e97f1024b98ad150afb1dace187413e22663e13791bbcf435bd9c876582d660f 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html b88b527f41cb65e86c80db9b0d1e3d59d532c1dfc94af2203bea890fb1e477e8 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html a3fe2eac494ea1b990298aa7970874afc119122f258a250534737f20f12c404d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html 550bef3ef15889c1981dd6c476fbbc018cd7ba39c21fe2c8339925502bce09cf 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html a0d100f0b8ea812e83ffcde49afbba0421ad0ae61ec28fd8957f87184ee86af7 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html f6bf3722ea188d673e140842d666b3fa4eec859ebdfae1a4ab2a3baadb378577 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html 9576fc47b2e6e116a2b992a72a679df999f5023085789f08652868da2ebef4dc 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html 9f3c37fb00aa52385096f255a9404b6d5cc51100c6a6c9745ab7660ecb854dd8 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 199ff3c7cd60685b1ff750720c1540bd6b45ea6b427e4c8f933a7cd6a4706bf8 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html 4bcf2ea5e7992e0f148bcabec03335b009b9562da48a3bf76465119061f52e79 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 9cd805fb75b9d716e7840fbeb22caa598152563c76ab23b01b9f1556bcfeb3f3 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html b169cb342e024e2ea7c872e7f4c4dc6d120a1712076f7ce796a75c867274d07a 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 977e6ed7b950c622c9d96064d6a15b3f6e1ecc3a85f9f213ef0e4bdb0fc9fe37 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html ac5dc55b779424d96eda11e63f466e74cf20cae378e1ef02cefb07d9c8f6ca99 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 86e26aed16e1335c6fc061e001cde0bf53fc0159fd70fcabb188b2d1e3f83429 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 1cea88c4c02bd943530afb66371c9a980aa4ca1c42bd502b0fa1f8a8ffa847d2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html c8bb96eb4d26b416f97b68b963283da84249dbc31b26d375c86fc9036f8d6811 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 72b6bd3f0f4a4f99dad43df9f16d1c73ca487528b733cd2627b2e9a88b0c5bb3 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html e14d03a8ed9324421646c3fb168a05555912f6336e43e150e01e57976d451b41 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 4b65c464207c7d8336e4c11700fb9f2deb77f9250ea7b8769a00e010d5d7e4a4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html ad7fb082013d8742bc1e84fc87d51bfc2605ae86b9c48ac771d54427d7f43b56 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html ceca1129df158887c90881770b8a2a652b63bde8b2c3aad95e620b7127f478b2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html bb20728d70c82d6e7f224f4f9d9077e0306ba91312eae235fc63e44454fd2863 2
@@ -857,21 +857,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html c19763a373b0ea3bb557786b2a7f738baad598a3c6477940515917f31ec45a7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html a00c10edae1605b926cd8f8770511ca12ce8ff927dede6c4f00e4ba914a39ea7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 938b1d39c93cbc3cd4a569032bf7159ba17530ab8855e78d85a10eeeb11cede1 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html bfdf4b11a2d0a31f199a7203ffc850ced3630a3ea9ce2b6791d455e05da81e71 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html afdebd81348fe02d035940bb880fd8937931fddcb95dcc367a2a1bac829b0181 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html 94e6db5965c1cc5ecfe5ed643d6fdef7d273c8775d4e4369b113a6442655737c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 1fa10ee72b385191e8945caec901876c43c29c967338c5e8baffad5774f1a8b8 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html b7617aa9d0701207a9ce18750223da64705774ed1911540b5c091163ea73f202 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 6dd03bb010384f54acf8a11fe3a3ccfd1c28cec3ffe2d9eaa229d3bc9efa146a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 8edb360d92e0538b03a33df897f7d213cf9cf3d16e7e9d9b19781145d7e60aad 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 96fa6e160851960ba786114e9a4e295502d54c375be34141de62fd0e35d43956 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ccn_advanced.html 81b0670d6d17d4e37ef865221c228272cc4576d2dc27ca9970056a01745a493a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ccn_basic.html 10b0231a2d71adfb72a764b682834240c0ec0c63f22c5897838a4194f490bc6a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ccn_intermediate.html 3a4932b7d3ba4b1ec027ccafaf33ac396fce8b37fc55216c21f934dfe5a80e6e 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html ae6b7b181444dacdb5587d0e1a3947f7dcffa02de2b1f5d11381585cc6205530 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html b8a5ff5070c1c53e970fbec4f8d946ce08420a6c27798b2b982257e77538df2c 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 69f1aaf1e22a9b3370a0c9fa85caa6437e4d024d14b8c5dbb59bcd8ec187d991 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 4818fafa72934facd8a190c17ca4bc35af8a01b457c057696da3496bb3af87e1 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 7f681e933c87f792d2c61881d05d4bf435ad93340a66f96b737a30f5b774120d 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 9fc71615422f900c54d91a01d57332a0a845020721284cc273111c6c81faf2f7 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 040c8331185a632f0b50d503f23489f678a109b57d35973a4687699a584d05a7 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 396dd4a2639c04b5f983fa4f742f65d7f1f263a7ad15b179f27ab9ca78e6d36f 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 52c4cc4ba8fed0db31212c115c91dc5d6d4e0eb044f1f60a89559cd439d2e800 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html b8d963d093ca15c63b89013755ae7169382c01a915948bfac880b9261886b840 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html 975da56296c8d07761c153a8da9ab2de99d4a4c462788a5575ca0bf01f12d465 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 6184586f0c8efc72771d0c36e6d64583d157c7d06ecaff644350566400179236 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html af292bf3e168d4a20bdc67165415e95c1f00b640d34763bfffe54dce1ae5e195 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html f3e8880b7d8e5a4e8b717caf7f71406b3282d6d08889a67b2fd3abb95ce7f514 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html a87cc36d3fa0f2df507e558c2fe909e859cdd3d28466665b11ee6892e1fa1534 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 4ee820f72860612f4ee38def54ce682cd339ffcc01b48b07b9ca25d7d1a1909a 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 3b96fc7e18b1e6962d345dfe30c709eb28d29d7d49264ca47acdc6c3cc00f9af 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html c36e381dd643f210dd4c5cf96b99d1aab8a0623ab7b1b8ad7dc26c5c7903e19d 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ccn_advanced.html 570f5ab5af08c138b556e1a51880ad633a3bca84b637acfd4ae403d9aef65138 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ccn_basic.html 45a1389fb2c165bf9a5e2f0184f7d44db9199c301a30515f907e9221c349eaea 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ccn_intermediate.html 724ed44f0ae6b480b71f10a105b37a9723434049ed4953741911602f0686356c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 7a2776db209c10297f0d55d308b1fc570681bdba0853013388c17a16579a6811 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 853e08674483f7820b5874a214d024d765ff0a4140099a0dd9967e45dd38bf1e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html a82558eab0c3670f29161f80e68e7a185d1a547c7fd8016e37bec0262484c08c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 83e47987cedde4d698b6098541cb63e660a9978934bae9b7ab132d6c6ea3dedb 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 4fae0abc4311b3de3255871ef5a3bff0c542d01906f067756588ad9ea3e11b0e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html dc6ef75e94a4129e4be9be15a7b89059ebb541b4e9ace8e3fe7038fb48d1e210 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html df7a431f4d3937464cdfb1c6622d40cd1f2d45ba6efacbd39492a63e2b718d2d 2
@@ -879,6 +879,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html c22acd3e187894e77f44f1f811e8c91b0f1306da7ec00aa4222d2b423d9ec4db 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2e710801590aa413d2e614625cf004872fc9b2a1ae262362ec68ad1719c2ab95 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 46b72b85489a574a4a1be89096883067c3b7c0ba76d0244fb6aea752464ef863 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html be499c3ef08a7008e11211ff11e42c2c56d0573ac3f0a0b92f116530c0a73439 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 26145d30cd859bfe9434bd10373dcf85e22b63e3377735e3de6001f3114dc93b 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html cd290ddccde2e80da669cb4e68c9b3c21ab5d9cf03fb5580382d172a2f29ac23 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 18db2e5d58e53689d861d923a532f7461ca325a5b8092030abf78e5f982f8124 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 5ec0fad98b4c6880ff2b08e4d103ec62190fc9881a7e62b7aa73957fe1f1eecc 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 7c86f94ab82bfe58ba6136ef6338abfb405e82e4299e2318bff39decc0ba0a9e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 67057b6e7f4443ec2ae5a8a8c317632cd8cde5d5d6e12ab4afeefd5007d7d53c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 26776cc7ccb477ccb749a36c2bbf7c0cb7d721aefd93751bccf6d984e10670fd 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html 883ae778dbc40b59d044113f68f1edb5c675d411e200177dd2334302ea99849b 2
@@ -886,11 +886,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html ceb3cbb30cb2e4d4553bee630dfc3443fc11b9a7a540d3b4e2667b3826837e40 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html abe26ec0451f297eb16a4321800dd985b0a0500498d8b7a1c8b91a51f0f33c44 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 07db9316e094e8f01e0f617e7449719033ed1fb081e85ca6ecc9b04983f20538 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 068ca0d307a6ae025251c2c9608ccf708cbfd630618fdde54bad0e51adb268b4 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html ae6bcc0a690599275111ea9136dab18ea2dfade7917f49061b5065f37133732f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html f7a8e0c0250a945ab084763fb5929da7c6721051dd4675bffd94597b74f1ef41 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 482b2f5100149e7882f5b1bc3c0521cd7adf3865730d13a3c0f552902077195d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 4506634eba5772d80855e45ac992022f5ca705a80c3d5a30c7c755e8ef2ac191 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 70307427fa97c122e5fae10ca91a185b067d27b0c438d963a65d1abb03fa2a1c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html a67260053e7c5316f6df933b3b6898c89f90d6652010e48cc6779116f2c50cd5 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2f5c6aba2355bed6e5bc73ca1641a1784cfc2c19318bf232ed1333e89c24273a 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 6eaa6493266d7cb732e2703ef34d1b5e1664d61eb5a5c7375bfe3028bf316b01 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html d497d8cb248729a18b289ea6a2cb1d786ca32d19c5a3a07d7590d6b9fc68f0f3 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 5adf93926a17f9e8a47c7ceddd97723c659f9d7166d7266cc96681fe2bc4efc4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html b2a8541f0aadf449ba15c0a1058b42e2549d022254850b783e1d35c1a93646bf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html d0118100fab9556753a5af40d12292d22aab8fc4645c5ba016a9cd68310e54c3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 9427ec293ecfe38f34574eb730ca365f117da359417c00669e4e7c7f71a40a40 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 816952177fa3c52d19964a513b22b5a152b9398ba21dfcb50bfdd5182168c67a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html a7753c590caffd3e007463ee5157cfc6e173785b2e1d065e10785fe425e36a3d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2cc0a84e4a4796ff687da512d9bb5b66f91aa0df6aab64973e71a17ea651ab1b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 60f5f344676b3080728afecaeb510f6aa9405c5176bb3533965f9b8f520470c4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 3a232bbd2fc0f743a9c730dc4494da4e7d1e43616636db15cd5fb68208a64f58 2
@@ -898,15 +898,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 1ed027173ee2a7fa857e711b645ca6c84d4f7f4ab4668cfc27d600c589d44f1e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 9134414ed4451876d8c87c03ad3daa5e36d27ba05606900de82e37c410f6d45c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 326855db09e97db0b3d11f02b12563b528a683a8eaed874a6bdf9c02ce4df32c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html c0c2cd4d4b1b9622fafc18ef1e02fd36e50df05f4ae2773d227abf62933d0ed6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 8005e68e980d1c7ddfc28c488fc52b6184c21eb94503fdb5cec3708339a7dabb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 3e7eaa3078a18ed5aeeb90119a5c724bc0af97abadf071cd40c19ae2d5651209 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 73525200edb994d849019d70f9c014d310993a1132bf2db583df0b5d24c18f89 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html ce98afdc00b07efc9240ba198e1267183da81c3edcfc2d1c6085bfb2e77d814d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 526a56ba9f9b980005d670161a61f473faf1533808ce523abdd8b280d3261ea2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 9a376f429b0671b54cec472a09f330075b566c7443f33531a07796c42238affb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html c568b9b5d7384382edef3ff403f17c37f1b590e9e256ef00f14ce72ff93462ee 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 7aa221f819ebd964a94ebca7f4378786b216c77b7c8436c82eef87fef17bae64 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 758afd62a10ea8402e6e5dfc12667c08a21aa22c881895d8fb9e950073439d09 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html b809f8379955937b206a10c3d2961520ad52becf33d43c9c261f5e0797dc41b1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 938390a734dea14588ccb079ee4a86dcc03f123be2f82beb92504014f6c2fde1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html f26bbead89f3ff7dbf8ad10d70a4b9e89437f3f71c6c669a2b674226a57db594 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html fd3c4d4d755caffa5237c8cabbf6e41a3e2a89e46dae83dcead421f9114f00bf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 8995c9f90e482869009a93004e68284764c2c3c342237149784629a3a6463b6e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 1380b4f2aa8c2641e2be2ca532bb26a0ef77465fa490cbbb1ee336ed7565bbdf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html d0a47b7cf5aa15d239978349c13157f5901a579142b413335778db6d66bcf70d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html d07cd48c453eb2cf760a24a1e4b1208f370155040d9c7ebe9800df13c91ee07f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html a273382fb8d066cfb870448b5c207fde5e4f8d49284da8e24fa64766482dc6b4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html a26ceb3c4078fa3ee87999822c0848a273836aa2b418fbd28edc635d485068db 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html c273196ccd8c142edb9630aca057baebce66707b4b97c907fcf68cdffdd86978 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html cbb73b28b537b07d1e55b7530a51340876fda92a5cf5ff7238ee3df61db5c5e1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 12d9508d95eee1c9315e97e85caea614be3ca9c5a86196cfc5fa00396f38a509 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 6dee472847887e838391d3d60ecdf9f64c0e6f51cbb927ebaf54492dc1ad89e1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html ab3dfd95c22791cb6923ca973b2268e19f63fa444497833ad90b8e4427ebece2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 1b002f3cdf8b53bbbf5be449d761fe352b0c3931e63398990613503bf599fb50 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 5d13bedfea72d2bce214c5916387e64c2a36c120f98302537ff6c0dc406d0d82 2
@@ -914,12 +914,12 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 15da32048701bd585d9d7fef192c58072fc4cce1e8bcc98b8217e9f989f6e2d0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html c998c22f005919df2a6a5f0f4a2f399363b666d84b8f423383453a7aacc0d6cf 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 9ee74f41758ad1c1ad9dca12f2de3bd3a83540b3931e4cb8a525106d2a903bbc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 02536ffe7a7602d0f5ade1d5d7d05d62a8da57d701495a95963184e4064222c1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html c2702fe6077ae46adb90d75d3ba119d1352f41fc7bd5ce7970ae0e7a60c0d093 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html 45f1c196f63080cae8c7000c5a06ddea1b61fd34ee373e6fb6d340fc221840ed 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html 6be60fc9ac749236538d4585160862f8767d836d3eaa5e3a800147e30fbbfc5e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html f94f66b54042c398973a55913353af83217268f620df5afefeed5706a409c03e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html b9598aba511d001b148c9c9797bb47dd90d46ac35ac79dadeeb42c31235e8c02 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html 211c7b4e32eaa18857af5629dbae6e21c1b4b0d4a4c7d8001c8038b6e5f27873 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 9442bca6d4516b9d5922e2bf93d34a6a10309c30071c181f07e85cda7d1210ab 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html 29e29d8702d71ae4608504a25def6e753b7a82e244e36c260cd79d466e59dec2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 40bc299a93871486ab976c512a07e81d7ebbc3fca96a39a948a9e4e560d487e6 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html bf6c05a4bd83a9a8b98ee061f9d5e5352c7339109336542950a8b18d49233bff 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html bf5541bbd281ec9effe588cfb0277cf0f4598b94396a586dcd8698cb6970a842 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 5d57755ef018e9c3f7c0f0383fd546f5acd70fc14a0777b7b852515efab68ccb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 7fc60243ec12421b9589d89b8e038aad681d14d7f46e8f4fe0ac1d59c40c57c9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html a60c023ecd83933c2e7a796c6a00c40e3c057d4ba06b33d24465a4c72e9b96ae 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html e1103c1aa50598bd7187043ccdc6085c678e5c44ce1d90017cd5bd28b8a49b02 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html 831b7793e6c7cdfdce4d5ff9ace1e29099fb59036c17df6dcf28b35534437db4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html da149cb15a6b5d8a71660b67d8d758ce914cbc00397b3cab034d87c6b1467448 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html b3716dabd30b41a482f464552a71603e18e43884697e4f01ad67f36e2fc755dd 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 8c1ed45e7e63a800437854fed63a240356de0b64315ac3a2fc9887cb9b0488e3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html c8dd1ef5944823a310c4dc3aa888f5425e81e34b2315b651b5a784b7397d7157 2
@@ -927,11 +927,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 6673072486e03e6335318c14fc157ecb3ef282abe85a72c7fd8779881eb5b923 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 46c91cd2ea940c699f9e3325161586f42895f83cf43d73f8651b590a31c17cd6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html c3bf0b6225d66fdabba9db56d1f5cb3c18f33ad8c78d8576d819ad97faa55eb0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 15e4bdfc61627bde9ccdccf190619bc6a0571c2a884f028fc522c54a5fe1cadc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html e2c223f32b8d785092b4e7b34ced56054b95e2c17a1a62388469d9bde0c13c82 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 38c14253dacc92eaf88efb2c06e295cffabbf100a5fb8ac63c8e189df0d3e28e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 652d1c16cd10ba26fc03ab869472e1fbc1c05d74934412c754b46bfaa75fcef9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html a4fd3e9ce0b9b49f7b3c96ff1a736ffde0315e5754ff1928bdaf5c23eb7e12ab 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 34983261c61150a44c9bfc173141896c3264a23d1fd8b3b5b9a8e69729b6e10a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html dc1cb54e096c9498a91a27ccf79bb1a60d1b05d3626f95cb3897be371bdb32b9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 8c3d30e4b3ca57a5585662cbe9e85acb9f74734c1d9a7c24de451feb62abd4a1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 6aa1066484ce2b1e82ef14e7dbd1f99d1107f74351d0bdd871e68f71e06f711f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 36380fb0abde19066a10df973f5cfd52f8b15e0c75a423e31a2e4e8984ba0bac 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 793282659e82ed661c07d75b99c1733e2dffd21add25a347bc229bcd1b2d8e35 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 85647cd104e919cddc423abf811059767d9d89203e3896ffb888fc5892b74ca7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 5aa6333a172c9fa5f06439e34069305b810011c8584c772967a1436b849375bd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 345ea2b634074fe3ada7c1abb08a9ccc527d1b393bf8194a092072b22f9cc99f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 1997de82ef361ae046d8494406aa76f04bfa2c3ad61340390ff7ab3042256414 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html cb97a633955e7fdc7c8ec6d28d645acb18b9675bc0159adf0c4bbcb39a2e142a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 5e51b4b87ab59ae449efdd5777300922bb42f12a475bd7b9e0560b913e890c46 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 57e4f34237682c101c8b00fce664a412a18f0b7d99ecfdf6b21d9f9edcfdd0d4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html b6b3a79ddd1fae9a0124371eea66d837eb4db35d4ccaedf2ff36b25e8305eea3 2
@@ -939,16 +939,16 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 430daf624dcdbf68932baba8e0d889873c6399bf795f9136cbbd5b140a31da8e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html e2ed5f256f684c4f805c97e0a739407049b5af31c464ae39fa2bd14b911662f9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 3af3e714ebd4e2c94e2357718f0670403d783d36e968bbc5dc6759bb75a4bf40 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html df217bf9ff979fd933158a2b1d3ca18d96ac680275415f8977f48f3c3090c5c9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2266d6b21c2c64b3acd7f3617cf201652989ed32b2aa665eff853245994c20e7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 047776fc0da1e7b875509339ce6010e830f1a4618ae1dc50541e3a62a554c494 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 98b7667c642bb8924c7fb343f9ba439b9a4441fb61eca5cd32ff986302351142 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html a073140e7a67dfb08b80b04185399d469351acd1cf0627ae806b36201dbe839f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 41b976bfcad9c76cc883e0d506b72d91ebd51d804e489ca8f4c24c6baa8b3d71 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html e45ade117f6b17628aa8ccf74028869ddb912ff01ec00ae60eafd606dd60871b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html f0d104f3729158550d339c048f2ebd4afde9de1ec5151b2a831990a78df19e62 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 768cd495550368be30bc92f711dc2c79ce3cc8ca98191455dac72d167483730f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 68b0c5630e89d085b66b7022e036e6d20f44d17c985071d9a26dc33bd55a1284 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 996db6ec04a3eddb69e7b821168047344767006b357924aa5d9736da452e4973 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 85015e5cdb0bb2c9cc0f23d676fa422ac0a17b32c921b231b5a9132b35dbe7b9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html c5b8e8b0b96109a685b627014f4fa5647a3673c824547f5a0e94e89a1f62b388 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html d9ec580dbcd535cd75e355ab68c8b98a2b71415b752bc1a8cf8c1f8994008ce6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 4f07fb0302ce6bfdb9bbce200936e6fac47e0533e1e737ca9a8c6b07c6f3d02b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 8d03bec30d3e8932250088764c764713302618a467efd4cf32ffe75752638e0f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html b6e9b945de21fe32d0e78e6e4def6c69168be9a5090550249f8f831495038e0d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html e5c75501f6cdace6c53e081d16001286c0622457a5182f4bd100661c3cb88626 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html a04530a05551ad175e8e7b516820606433d1fae1c572eb12b9a0623d1aa643e6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html acbbcd8ff958b347c32cf7b30034c3a425985fcc8a13e4a69ef4d9a4fa4893db 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html ee6c3e2a6588e1c3bcc6d52c5f344f90d951ea5fd9a96f5fda690f024c7822ca 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 5bd548d01f3da8919b970b68a75367344daf0c4d6ddd8006084cba6d7e9b021e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 163e68812a8c72d3e94a9d7f158509805824f1341009b5905de7d2dc31531653 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html c32726b56c563c33f18285917b64cee41fcb8e32e4c3fe59e189aeaf8f9e661c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 5d7a1fb31adaeee9d1b1d49192df1c2e22b567d1e941ce1e65eee6c12e9acf80 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html b952f2422d783c9ce727ec70a53a4757e839e5f83253b7bfe17ae6e2bd25d989 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 73fd168bab49851d6f534c2fd93f961bad3ba1a07ed22cc35859b967d80b61fc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html c19837d4ca1d9bb1806da9c5dfea48ab899b10db33242edc3af2e446c1f8730c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 7a3ffb78c3d874a5caa4c87abe671adadec6342b3cdafdceb14bac40910da91a 2
@@ -956,21 +956,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html cbb618071225d1b94ba933b730147415ae0753d1642027ab9e063a2cfc66d05e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html d271ffd28ed165361d390f7d971f5300dd0c9135bbe921accc626f44a397684c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 13a7b3252cea4ed03579c0f7fc9a9175b711fd2ca0cb5491edf32a24fbea22e8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html e6f6034d8107cc3ded3f6d30358216e5ced07088e7780c7f4eb7730be488b3aa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 3a99e1524a536e8cb74f5f748c3fae38df17f20e6939fe5b2c36285a544b90ce 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html e712b82025e107caaa920879fc858d95865a54b4c9e4a9cdadc9f44dd7026b08 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html e0d87bbeedfef1cd9108f9ce76131777559f1110bd5865ad2cbcb8911f5b4b0e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 5901837393d6e3c7d75be6b7b7fa92f22c51481ca674ed4c7b02cec118345568 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 205b43c52498b34d85eec1bbc49ee5f567e3b5fcec4164bc07a8363b4a12c314 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 9a315419cbfa6cd65237c3880adaf61314a27c36b41d763e2449d7e1fe7bbaf9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html ef7679ee443acb081443039166ffad78cd30fe692de6c78300de73d7374bba8c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 43c28cce0850e8828c8f8aa389760f7bb3c29cc23a24e2dab57dd4b2fb0dadd0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 4e098824a708506a8c1fc38e52343df94ccb204fa4f5c0ac08b16c3a4ec78ffc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html d0834a7510b3654f1c525b70f6f68f4d70866ec9d6abeb707e057f9ce8d6cfaa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 15155d0bac5ea689018430bd334ac1f4b1e0428cfbf2b05362c7d99d72e30bed 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 0e9f0ab715e72dca5b4ed338c26e2771f3610912e57aa4288b98999a331f4095 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 364ecebc123659177c6d048c31956668f4112ff662cd5a65f388d41b752fcb6c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html efb33055e3e813e3e080c912410ef15b1f1bd4d8d2f42601f34c06feacae8141 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html a52f43cd9c01bda629dc34dde829691ae11a2693ac1eadfc4e8841cb7ddc7756 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html c4335e2b41464428ddbf3543f5250d947c62a64f9b8655c842ac20c60278e1fe 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 159d0ee723f89f64100009ea466e36e64f6fc171435a8e4126ae767c99237b84 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 91a29e0fe5fd136f62545a7ac1161a5d8a77c35439cfbf7b3c79c55b16732542 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 7351539ce04f6dbaebf9f05a2477add6fcc12c0ac3ce6a718a0ca07d610867cd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 11bd4233fad39b58861b7e181d9b1b7367d6f34532ccb856fadefa1117d6253f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html c4a436e97e6758ce50372897d882d9bfd8ee001a9d3c66241503d22f3d4e766c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 5e5799ac0c597e568601043d46e79540c1ca7cbec71916c09905f084ad37f447 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 19062892713883f5a1d84dbfd898e8a2119ac6fa4aea78cbbbd208139d68d391 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 0ccfb8c94e29ee882a4f9ce8f6e9fe502270585434c0991d3513afc7094a122a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 147d5c2b39dbb452cc154009ffce115b9b7d324d5a96b603522022470bbb85d2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 9e2804edf43c1a902eb754c6eb91513b1e75ea7eccdd8d556e3cff4854a7bd4b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html d9d30224a68e7b6769932b28faf002a0d81f7cc4f0f249d9193d172614a88cbc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 140951a828dee8533a7e14d919127dcaec86775a88f3c8df0a9e2c97f2613024 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 0f0efc8855f04364a26fa49b0b7aff04d3c88e1a84c96526be48c77dd57b5231 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html b67a3a2dba9fdafca613ed86ffced7de11310ad9b5bfc9cced9fc37de0dcfe59 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 25bde91b2f12e0d722992ad13b38025e5e7e8e4245c862cd6230fa1d5da3cb4a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 3729d3533783ab98021068c3da12580a410a090a5835f9e72984dc7815c2310f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 3b8e3890e45e4215650e75e816edcb4d08b99138fe9eb7d64e24fb71b5970c07 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html ade9b7441325c9524e0578742c2f7e98edc7cb4c7f980cf6c7bd3282e5f84986 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 7fa16c2769ad9de62da8fd9ec1add99e712c4f1b2c9aeae1661dc5800636a9c3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2343d5fffd549b611f6d5be074b24802e859e727f30462dbd4091a171e7de642 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 51c8feeac1804834be4e6cd58fae8c28d686a753e8b7e5c1ae81e449b15bf688 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 182e6814aa8a3cbdda6542f1492263f947893162ecd2d8c7b4b647a49f170161 2
@@ -978,21 +978,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2988739b9748e5b9508c0f3ca0b78c0bd205e47d7f6716f2958c763df217aa24 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html b6b1a05974c6f3cbf84bf4ad0f86219277ed40a8828ae1897a2642bdf0162d8a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 8e12ea8b85c153a5c77a1494827783bb3f79f6e32aa600dc1a5da8e100be4354 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 9019798d9d05c8dac6cc179916427582162458979351512e91f21b2e7b35f9e9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 1ff3ff90c58105d1a270d56d334a359860965cbc1b3a2a97d3d0e0811266fd46 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html c80cafe7daea97461b0b3386f2d7f38e2cadf3da0a689050b870ac6acc0827e9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 1ec4bab01b3550827743af7a102de706150642bb19d916fcbf10280c50e087e5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 0e53bbf6fa6d3d17ac56c2343dcc985c9041577f9233ebf937c74bc0b4e72c52 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 5c983a29e6ce89044130c5dc02691f7a0d6ab11475788b1fbcd0d286a224d0f2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html ae72c58f52fb35a26fe94aba50b6e51bb8073427a26a6ea389dc28534b7e5316 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html b9eb596b6ce70b2eb77dd2f64cc3be73280488ba78bfc968439e39a350b99a30 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ccn_advanced.html b47c5f90de54544daf8f4e83083cd6a7ce96b4090fecf3a19eb25d5333d8da9e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ccn_basic.html dc8eefd4133c70b688d6246ac0fe74950ce5e400a82919d644316f0fbfef4605 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ccn_intermediate.html 7fbaa485015ac79f3cb396423ad906810fc28e49e8b553fd57cdf8225deb4f96 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html bfdaaca0be866ceb4419470782a643c86b5c954fe4867949f1cf51ea58470170 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html db5e2ac4612e67676055178274dcda469e45a504222972401a23a56ecfc566ce 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 684101acb190280aad7dfee0f5941d727026efd7899f2cb8603130adfc300c3a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 76dce066a7382fa0ead3ed788ce1771e1cfbe47f38def36966015fb16ff60e89 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 98b5c56d7157dc4e9fe34b9eef60b2e0f5b3a3b68a76b90295e3781d758d7c44 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html aa8f64207927c41bb8907527a7a70b410583fa17dc88f42ccb1ef311078727d0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 7f28a0c3a8085125fc33f4a3fcb561fc899eff326ad1218825b65bb3b75aa80d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html d2871919bcdb789b7071e7553bf58bcd376d5e0a4662a8f7b56204583a6e2560 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html c5ad21714b3eb23dee967ba4fec414c086c6650786cb20583d541968ceec6a6b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 84870adbab0b4eeed8a3455b03e3d7231dcb2e4118f889c824d3f7dc6fcc45ee 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html df12c05327860e7a06d690535c7f7bcc9aec5837a25c6284d3e3f4f2f49ab786 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html cc1c14b13eebd413b727ffb49be86ec25588c52ac97f12e5e5c618b30b913304 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 98b5420a46c590c673270898e7f8427ed6d753ee1cffdda232c580ffff52dd21 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 49704e864b9b4f14e784dda2ceb85e0c30ef145bef08d3248cda1ebb2c235be8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html ca57a0dd6a1d35349183285fd978a4afd397e2e7b50768cf99e129cb4b7716f5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 0207c5971fc174320d394fe3d5ed43964b4dd6d8ae52288145f3c10861118bdd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 84c29acd1f089cb2522fa42299605869d2911d224ddc91cc9f3bb3a9fb8c29eb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 93c0beed63286a2ba12753ad80a3c95833f05f1f221b609781f6e7301ee176f3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ccn_advanced.html 2ae4b4ea9dc1be789dc176a54c1faa0fe5d21ab38884ad3bae0ccd2c78bb1a52 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ccn_basic.html 4899f8df0bd6d139b9d5b9762b920218d0de675645b22ad3ccd514339239a9c5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ccn_intermediate.html f858083741d069339f1771c46e5e2d207c2b97af29936caa14882b50a6739e77 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 500ddcc90b37bea0fd00c1a6fd05c61375b5a383f7f726a4543028f3a0c49eb8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html d1d86c2beec3d40ec3a26f8a08e788f71be4e48fcaa3617102b520c854a5eb26 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 04b604c30c91806d7bf81446f43190fb1c49773b3001777c702306626f8d414b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html d17bd489f5e432c8cf1ad49a6032305ec38da41157ad8cb15d75eba32098cc45 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 0f1d4b5c2257192d0dea02e37fc13ac00d4ed5437ccb0a51e1062088eb38441f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html a8692a5f8c84f5a614ddfe6e41b6f5ded362ff7e9e520f2da8cb20400b98d483 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 6e4d9352974eca1e15d0fee16edad20d33ec84f1af993173480a8bd479d2ac6f 2
@@ -1000,5 +1000,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html c333ff796244405c3dc2ed8c1c148eef1d05fb6141d660fd28ac62f343be3a9f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html f0df1589ec6209ce91271d8f9d4f9c2438417f24414489082f0b91b4dbcd8585 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 5c1fec562a52705e277b5d57b8d6b7a1f7b04a202d8da011ecf0e0bde56ca85a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 092110cd5ccee54ed6acc5b37c4bbad9206649779d5a9784ee7092d42637d458 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 0b59852340fb8d6cfb6879a27dee2f4b6f585c38e676d8a7c6fc317f6f244544 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html dd26fcccb02e23720758aea3e79587b1314faf0f9b3a8fe155dffd4ffee11a4e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 0cff1856f337a6ea428ade6bc22770b169933018bc5bfc0a668c371657c9ec28 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 1a745ab4acc81606242585c8d71f7ca882c2456a0aa730b8d26b286fc4fc9975 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html e47b4d695f26243c579b0b6630e06caadafcd3d29394ab235daee0f75a155f3e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html fe84d5c87efd8847bd6997d2e4b9d768caba527c5303c141930daffb7caaa453 2
@@ -1006,3 +1006,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 4b07ab8f3ae004863ca0d321bde910138f2dde03917d8b3022481fc64b0e05d7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html fa9a6cdca1a39a12efbbf3017f776b7aa2b87e24f62a4da2c0b38374ab80cab9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 3da727e5a51fd9e26f7b9584514ca670d1a5a3687bcc8476b18b6aa4d0ff2f07 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html bf7c3d55539af691ec33ca8989241e4e2ad57dfa39be0c837ef6e8a93f994809 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 038b8c8434c13aeea7f5745ec357895ea312d9406ae2ea833cdbc22387a0612e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 9ba08f92044a0df83441fcea3d566fa747dcef22f527d1de008a9c71cad408a4 2
@@ -1010,2 +1010,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 7dac2b33102a92654cbfbb82497d35bf74d236ff190609f053f23f3e2e96f756 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html e83f4b46ab4baf99662fc3efa50387c351da16fc8fb220c3a6ed9e588fba157c 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 8427cad8547637e5eb03c7a28bf97c0f6c0af2251159d38f83949277ac0e3903 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 6da8f80bd17142bfcfe042ae4be8db9f598e74432f406a65d353a09dfdf5fd45 2
@@ -1013,2 +1013,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 1f91a2d29969f27269d11a29e666bf0db34cdc2f36da20b7840eebd895dd4c11 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html a107e3410769e98c34e6e04d9b97445f5a85e01bd32ee6c5c36880e7e94fd2a0 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2b63448d0394093829c563a17cea83e2c5aabfe2947a6f38975edbe34f7e1267 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2d49f560b76a2736e2b3df27e6f914ac62d1d02f8e0fd2be7a61bd543405ee32 2
@@ -1018,3 +1018,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 3fd4b95afae7a71c4f47b916d1368387f6fdacdfe20c06625526112391a7ed65 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html f00bef393da64bbaae102c541299160cf8bf0860527b72be403c02f41d43123a 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html f6a70c8750599edc2320b0778e48431856dbdf388a05bee990190727621ef726 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 6763403cf56eececbc0fea3e0cb1120bf62a6b95db493b4c29468bb7305d60af 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 91518c7f4339fb2c86248520df85e5dbbb32d454fedd46e0d4ff6e3c005e7a9a 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 10be93ff55597e85984df0049482ca91e1e03e2128e1c6d8ba4d631f741864a2 2
@@ -1024,2 +1024,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 9363ddf93f931b9ceaf148406bbed55c942d15b14b875ff27b30d76a51b74f3b 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 393dd322e7540525e5845052af518e2dd86529dd0a19f851cf2c122f4e0caad9 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 8f249e569f0ab31630e19b8dc5bfaf5390d9ad0ea722eb070902559810508f07 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 3ecbc0ad2ec7673d41bb9940dfdd4406ef711c0de5599210e70dfa77c8cc9112 2
@@ -1029,2 +1029,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html f3212033293a4f06fa2cb327921d46e936a155ed9790655c01f05e45bd7cd5eb 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html a87ed639c6518dfab12fcb97796db39ab61baaeab3f172aef67350fc9b6bb976 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 0f65534931c3e76dfa11aa70a2d87eb340ab85b7f552258e0b6d4e15223c9720 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html a077baef638952ce224b4d523a8bd252b8a82ffcf70986cf637998a331952af3 2
@@ -1035 +1035 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 9230b64e2e5ef3a15c1b1df278e056dd151a803c3e902dd9d1f3915ab33b31e6 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html abcda2a92d15133b9e2461b84c975128497511ca8b09e57e87088cdfcf2bc720 2
@@ -1040 +1040 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 755e500971b961cae944b829e2e98d6aeee0b47645202a8409644b4607d794a7 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html ef0a061e773cca70e9942cefb7101b7c3014b8da60d9d4346ca87fbc43a3537d 2
@@ -1042,2 +1042,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 5deb83e0d9890f0b1b65ae389b2899a03ebe70bff84c1009c75587bc41d09c6d 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 238a51d1e44fb5e4a82d9d74e2ad2c17dbd80b54161d7fb78c4b2c81da4ab833 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 300adcc18056227de6823b417ea8b286cc502b86b13c5ba20b685b3a6e2bf6a6 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 7cc141165d7642409721ba01ef09c3a88af163156b2b68339ece8452e92faf32 2
@@ -1048,3 +1048,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html f816ed021ce8d902a0ddb9feaa50b63283c25f62313e2b9d66c885fb6d54514f 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html c02b2bb41d48b6c0aaeae8d97e90cc5816e6cb0247a59ff6345c488e68a5b0f4 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html b44b36b04c2a3e74e142518cb25f6666297b9980cdf33826b1023a391e1ee6a1 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html e41f181aa3029c670e23a3ed212a5c3e8974f0aaef88780f6d3be51a8c0e8efe 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 445aa31a9f6cc1dfcb2a6e0d3817441b7944d65ae514a1c5a98d2b2113cfd870 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html d4d97913ed85cf2d52b0b09e768655331896be2627aa4ef1955c9bd64e31ad5b 2
@@ -1060 +1060 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 86c7856c0049f7a1cb006be4d28372e4ccd59860280c7abce704913dc5c73aa4 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 4c97c10d4a513baa69a30972da63ea8ecd9b07ebba1ec07f0aac858ad9d838f3 2
@@ -1062,2 +1062,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html d200accd07d4f904a8162aa188abe9c42536e886b5079cdf0ba596f066e4070b 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html b8eacf6f3d83f1f257832ad3d814e496c2ecb29dbeced9d932e91f29d1d5c73b 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 41586b6946a16a1f59c59e7bfc27649677eb7d6bf1031d094c159a5d8aba4b50 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 9d40205a6f466674e70d4cfef85abc4e9cc3ea2ce33e524ff05f33fa28a98203 2
@@ -1067,2 +1067,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html c0904bca1c32371f700244d35fda8fdea5ab6291e50c414b0f9194e23b9aec79 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 3eae2d321aa8e28acfce4d8433a2b98a51ec8ec1ea12e6f1aa054fdc37d11781 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 8957bed2dc3362eacbc2f099b3237ea9d9756f241c12074ed5d7cc32a16ccaf3 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 6e6e07aeac118e73212250b9d2477e643daee879045566040c88dbb03699baec 2
@@ -1471,2 +1471,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 83df51ef2cf3122d9331691b932aa2471273f08e852ea635d7f4ea67d0977d7f 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 519e6102b1d78b6baba98a6e15f1a35a54d94ff5c2e4b1a9761b3ff00ddf18b1 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 89ca55468c2fffc1ed5089c856d6fdd03a084962892415782d178506e4f27e55 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml cd290f72ef937e42277b1d1790fc435060d8285df014ab74b5bc9e8682d44409 0
@@ -1476,9 +1476,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml ccaa9abc2f56be0660fc4b74d21d82e2bf9b9a461f8ffce1e3ac4d86d7cb1580 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 8a65eef0dd9ffdb4a5a5340849eeb151d910e4a532cdcee28a2ca8daaceeced4 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 71e73765e15a5c15064e75008cdd60fadb6d182e44acd17da942d7fff77d84a0 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml eea5f1626980a4274aa9304902057a32662f3f2f38102d00bd994c0823cb66eb 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 6e780a9de88e4f06358277806763b92cb51a0185cc402a89222216820dfa6abf 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 35b5c11e25158e96e8fd2c2367303aaa1ed7271d02f85e4bd96c4a896f479e57 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 6235f7c706ce67a5d945c9e700db702638b7dccedd64ce69fb33897eb1babb85 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 5847714d6b3f885cbfe90fbe15f916e36d434850e21a5c94440efca22e01036b 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 0d78c9063b183c0416a8c2fd1454a3c9bc32d8d9325ba3f0a38e344b1ab3c368 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 7ff969ceab14bb409c1d6c7297bfea30f9ed1ee1df9fb3ed2ef671a51b02c744 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 209b514f000b21e9a660369e486826fee7c29cf9e9b41d71fb1cb00d13238cd0 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 29a05fbf9a6dc1d77c6608d9db981655ed4639dd3664795a8b515aefa9ddd9cc 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 70c42d045cc5e555987ba6cb11834d4efd190de0f62dc5e7fb701c0352184e8d 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 44f2f803554f06a1f1691afa5813888417b4d853a62f153f038f427199e1eca6 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2fc2da3afa1c1617dedc306b732361d16881da47b1bcf7c91679252e40478153 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 3b26db5ac0aa133f090137dd94603afff60bda6f4d0580105968053b50e1f103 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 59bb8ea28573cffe5a3ffb03e1335a6279d7987db5c90a187c5f99af4559eb25 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml f7b1d42f25c173ebde7db6c39c9c4eb908233c493fc1403a699cfb5c1a161e1d 0
@@ -1487,3 +1487,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 0c4a2bb626ca15a1eb7b51ef0ca3a844885507a0a854d5fbf7963c05c8327fa3 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 721a9dd84831fb1865b3e553b43c0d8476e6d3d636394f61a8aa7e330d233964 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 1bf1f52172c48327e4ce5238307572331cfc7e887887df45ed13e8f81f237dd2 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 18135b0acba3407021d88f43f82df0ee0c980bba8c85109edc492b90c3af7102 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 1e2a2d53c65d7669a2bb20abb64757472287cf6f1f734369d9031d65af12d600 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 8483a8899ed6073674cc5cc96e64818a8a4c2910846d9a056f7a6e9d1c893ef8 0
@@ -1491 +1491 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 96deeef999302dd26c23879fc3d1f7441c2c8cb8fb28eeadd8d5fa3f2f076ee6 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml c28dc53592639c2516e8c5bf13139cec5a6444ab7330565d476cad8e81f8d656 0
@@ -1494,3 +1494,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml c0cd8ab1c4bda492a7b70af2ec4d423ce38533d41da03c81fe23f09c422af7b2 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 99283eeb1ef9883bfd0b22c24d4a31a87da65df13b884f5b978d4582e4d9f526 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 3c77b5d3af3d0594b8fad2ca5d0341ec008c932b64633cf3cf1e779631630364 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml d1d4d6cc0e2852f82b92f97fb693efdf1534f3e995ee6f388542ed96403c2421 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml fa6f0689d442d1f51db3c173112cbeb6c9d506c702c233cd3e3601b5fdccf613 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2440660c0df3f837978e6a12a826bdcfea2f662d4ccb103dfcd19e4fb1091fdd 0
@@ -1498 +1498 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 447fa62f4b5574a39673cc73e78510257af19a07a1c6b5b5a172f7d8cfa40065 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 4d605e5a07287d117815f44fc3a48b98ca85280beda73fc7aec63489a36ea60d 0
@@ -1501,3 +1501,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml e1d2b7b0ea3c155c91789b1aab950231780a12f60bdca9f8717ceca076f74798 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml a6fefe2e73bc0a42658ae131eaf842343594904bf3bd771b4ffa17a579d27594 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 5132a1a1f4287adbd4201d3ab7225b58b00c94b916bc3495eb5de8b25f67711c 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 32e20a966f19cc9d1936f575cc0bb2686cfabadd4a123a957c09338d4920ae24 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 1dac772bf699cb56e6f0b404996b8e771c0dfa38ca03bcc7af0a8a2a5765038b 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml d906dbce868b242a293cf56a5a5cd5d0f30f91088c8a6549f0e85f1594d1ca7b 0
@@ -1505 +1505 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml c9b7264155f9b6d72f0f936f4f37f3f1b694877642071e05d036127b68394690 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 849bbea63070ea8d8d623ae79c81688d2f53fa3065c7b180a1ae64b88f37986e 0
@@ -1508,3 +1508,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml afabad8e5de39d676149dfe63f72cc20c90ce267d0ced5244a3301c4acdaf4ae 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml d66c87fe201a257eac064b7ea9cd15c79d668a61646e8dd73954c8bb37da6904 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml ba6eec748a75194033c00b698100dc1f3e5185ed8ca19dc3e492a27e60b441f5 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml ef0a656a4a4b30a0fa68d96baaf9c500cc484b2f344a8f9b8b2c967f323711fa 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml e207b13848c5fa7cb34012914c40cbf2f9caba97fae97c98b4a8f49e32a377c3 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml dc65c82ccd6a2b50578bbe3097a0a7d27734511289b9b0765cdbb748d920172e 0
@@ -1512 +1512 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml caec1290880538353e4757b3b211b85cd459224b8c3561c19ac90cae0cfafd1f 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml acc23a0ccbfc79dcdec179590ab0894c7611ac7932f7d1d1dcd2d11e90f9f408 0
@@ -1515,3 +1515,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml d66f708d071128e4e602173a6e4544427a8fd081b40f9b827394c84a32e4cf80 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml cc5ce6dd9282908428e0211df8eaa883bc77e0b06067639e1588afc2cce4c9c5 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml ca9f4b7476eaca3e5f3ae1d42a1d78a66629b6f0d6060a12a718945e9e17bf3f 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml c304c4702a67c412ac9332b5638dfe861a5fe7de2b6e68ad0680add566d0b437 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml bd56bba33f80ec914d04d5961e0cb0b5bfe2375c2eb914037fb0becc982b7b0b 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 5f1df301f5154b3588de9a5b30edbf79d7ce91e4c997f3fcf0bc90dbfa444bea 0
@@ -1519 +1519 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml e004b9c9d9b7d74e593d4308dd4a0ab910149a3aef456f4904ba1b8a2e3c4b5f 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml d7e1a9d08eea9ac0290c30c1cda70259f75ddeabc3c7c6c96b317f46cd4c0cb2 0
@@ -1522,3 +1522,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml dbbaf2605196386a38f684cf1555d4fb04e5f9e8476b3379278b596ae19df2d7 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml c1218c87215f445de84f25c33bcdce4a4d1a571179bca57a1e00f49374b9d0ec 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml dd32c5e255522921353646073e83bb4e2fa006cc461cbe66b6bc7904bc4747e4 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 3aca1e51715b0a0dc387ee6b206dd66d55ffd31b993676bd09fefe129e8d71a7 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 38c0cc039da86468a6ea8ffdd42ac07df0bfed89c6e090065daf165268597c1b 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 3917e7397c0c8f76922f10d03618f0b54543b9b9e0f98d90dc163b3475b749b0 0
@@ -1526 +1526 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 8c5e2e8597004124df41e146ca84134464e00ad612f29b653797dbbda6b8a5b7 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2083e187f9d2e1f2aa0e23e34c87cd1bad9636f10850cd38d21d2f7bb9693a85 0
@@ -1529,3 +1529,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 1f489f7ad1d87e8741ac03e6a74cd205f2fc98661477a9765d8aa71c24573666 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml da769471ea9eb5f5c7f724d740412c2aedc37ce5152a4bc63ed803cc197f0634 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 96d9fd50636cd682469a7630dd73d3c0df1effb6fedb1b19869253f3c61daae4 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 307c6d972676c68788725b97b3e86316755dd75a5734e58e37eb19df7706c16a 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml fe64950d7d8288d1d5af581c87faa4cc1eec49d016f1c45cbc0e2bb12bcd2419 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 9d36f3311dbb596398d470ec99e4f9b29111e055f4c26fde6bcbb460099c7fb3 0
@@ -1533 +1533 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 5bf8e9abfb8c1b6bf47a3bd891e0d9cfb0557cfda84daae477485a2682312206 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 8c39e6b8a4b817db410b58879575755a0059c0bb541917052e358d022b95caab 0
@@ -1536,3 +1536,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml f7cc1b6b58693558db55bddb0bcc81f58311412170088d24f8ea04fcd9ad3e57 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 8fbf8038bcdaf757e8c64b651e30b4df863fab086750a47d5cbe3dd397534aaf 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 57867ea947dc7996d558191ebbb9608479045976dc9a27e927ddc5e025017977 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2e1e87006aeb9b1426115e02f16a360f2295a94a997769bee28a1141ea659134 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 9409b0d3486947e14a6f139cd1a9bc6c4a9cb720fdad2e498751349a425eb775 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 70ac1a4cf129769f8931102e5f0fd3c15a2bd7faca37f47c617f80444b2e1329 0
@@ -1540 +1540 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml bc61b1c56ad0b1ca628866b7af7f5c548673bb9bbda4b0fe76251fae822c2345 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml ba3820f9ab986e31502b19a5cb239b5eac634395bc828ebc7a0d3aa68aa481d1 0
@@ -1543,3 +1543,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml b7e1ed77c79760f26a8aa4b67fb7c66e2f534315f54b0abc6fbdfc54d2145134 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml f939d7be034f50888a43548c8a81549ff44fbd52268a725da2f7a8a38da15fda 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 7cf153b1dc6ef3bcbf755683859d0772e83bbaec11a76d05294fe26b4ca77453 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 777502d599e18b57cfec495137dbc383873591e34732d0af443dfa1fb1da768a 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 04b2a2e4520f70bad42327b05b16732abe069fc288fd7042a1ac1dbce6fa7d53 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 81f3aea0bc115b5acbb0bd2bdff75eaffccfb4d28249f9f8c044ec3561918e0c 0
@@ -1547,4 +1547,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 6aae18a5d32ac4276de7e92bec45f636f07b082d02355f5f64a747f3ccddf5b0 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml b2f6d41f0e49ead45cd740789b504e2c3cdbb986aa4b48b7152b7eec388d4108 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml c79328ae6b282688c628bbd9a20cb99ab5a3e68c5ef4d9051e570e609c8a5dd5 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 3569d53427912602dc0d69bc5e932cf590f858f29b43d396fcc3d2babc9ad60d 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml e94f9c085064c75ad8675b315dd99cb15b53c0e98b083f89fe58068dc3bceb3c 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 45187fee2e53e0b529baae01838d493de70e1920a6fd3a122625345dea12e5f8 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml d3da086113a9a7ee856fdfadb01b38636e3f2c8db72630ac7758ffcce000ddbe 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 1e394b31ef007374b46a8cdc05aa9af9b8df19226d4352c0683bd36de122c739 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 2023-10-17 02:00:00.000000000 +0200
@@ -84,7 +84,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Base Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 234 rules | Group
@@ -139,19 +139,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -168,6 +156,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -190,24 +190,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -323,22 +323,7 @@
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.5.4 | | |
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -511,15 +511,7 @@
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | Identifiers and References | References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, 1.7.2 | | |
| Group
Updating Software
Group contains 3 rules | [ref]
@@ -580,35 +580,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3, SV-204447r877463_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 69 groups and 233 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -185,20 +185,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -315,21 +315,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips-aesni_installed | Identifiers and References | References:
- BP28(R1), 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223 | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -575,19 +575,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -601,6 +589,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -610,27 +610,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 70 groups and 289 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -185,20 +185,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -296,24 +296,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -438,35 +438,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-204446r902701_rule | | |
| Rule
- Configure AIDE to Verify Access Control Lists (ACLs)
- [ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
-If using a custom ruleset or the acl option is missing, add acl
-to the appropriate ruleset.
-For example, add acl to the following line in /etc/aide.conf :
- FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already
-configured by default.
-
-The remediation provided with this rule adds acl to all rule sets available in
- /etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
-verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SV-204498r880856_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 55 groups and 160 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -185,20 +185,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -451,19 +451,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -477,6 +465,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -486,27 +486,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-On Red Hat Enterprise Linux 7, env_reset is enabled by default
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+On Red Hat Enterprise Linux 7, env_reset is enabled by default
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 26 groups and 42 rules | Group
@@ -111,22 +111,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SV-204430r853885_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SV-204429r861003_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SV-204429r861003_rule | |
| Group
Updating Software
Group contains 5 rules | [ref]
@@ -255,35 +255,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3, SV-204447r877463_rule | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SV-204448r877463_rule | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SV-204448r877463_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 111 groups and 341 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -432,20 +432,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -481,6 +468,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -653,69 +653,7 @@
After the settings have been set, run dconf update . | Rationale: | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 273 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -432,20 +432,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -481,6 +468,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -578,69 +578,7 @@
After the settings have been set, run dconf update . | Rationale: | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 93 groups and 266 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -432,20 +432,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -481,6 +468,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -578,69 +578,7 @@
After the settings have been set, run dconf update . | Rationale: | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 108 groups and 338 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -432,20 +432,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -481,6 +468,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -653,69 +653,7 @@
After the settings have been set, run dconf update . | Rationale: | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | Group
@@ -145,16 +145,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -337,32 +337,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -468,19 +468,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -497,6 +485,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -518,20 +518,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -629,24 +629,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | Group
@@ -161,19 +161,7 @@
[[packages]]
name = "dracut-fips"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dracut-fips
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
@@ -197,6 +185,18 @@
- medium_severity
- no_reboot_needed
- package_dracut-fips_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dracut-fips
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if ! rpm -q --quiet "dracut-fips" ; then
+ yum install -y "dracut-fips"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
@@ -233,74 +233,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SV-204497r877398_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | Group
@@ -147,16 +147,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -334,28 +334,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -459,32 +459,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Sudo
Group contains 3 rules | [ref]
@@ -586,22 +586,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SV-204430r853885_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -83,7 +83,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | Group
@@ -150,16 +150,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -342,32 +342,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -539,69 +539,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
- Require Encryption for Remote Access in GNOME3
- [ref] | By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
- require-encryption to true in
- /etc/dconf/db/local.d/00-security-settings . For example:
- [org/gnome/Vino]
-require-encryption=true
-
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/Vino/require-encryption
-After the settings have been set, run dconf update . | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 2023-10-17 02:00:00.000000000 +0200
@@ -101,7 +101,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | Group
@@ -168,16 +168,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -360,32 +360,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -491,19 +491,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -520,6 +508,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -541,20 +541,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -652,24 +652,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | Group
@@ -152,19 +152,7 @@
[[packages]]
name = "dracut-fips"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dracut-fips
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
@@ -188,6 +176,18 @@
- medium_severity
- no_reboot_needed
- package_dracut-fips_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dracut-fips
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if ! rpm -q --quiet "dracut-fips" ; then
+ yum install -y "dracut-fips"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
@@ -224,74 +224,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SV-204497r877398_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -333,32 +333,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -464,19 +464,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -493,6 +481,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -514,20 +514,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -625,24 +625,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | Group
@@ -143,16 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -330,28 +330,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -455,32 +455,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -586,19 +586,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -615,6 +603,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html 2023-10-17 02:00:00.000000000 +0200
@@ -99,7 +99,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | Group
@@ -166,16 +166,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -353,28 +353,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -478,32 +478,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -635,74 +635,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SV-204497r877398_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | Group
@@ -132,19 +132,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -161,6 +149,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -278,35 +278,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -371,9 +371,7 @@
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3 | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -452,34 +452,7 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, 1.2.3, SV-256968r902687_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 32 groups and 74 rules | Group
@@ -143,16 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -335,32 +335,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -532,35 +532,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -637,34 +637,7 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, 1.2.3, SV-256968r902687_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 103 groups and 282 rules | Group
@@ -152,16 +152,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -339,28 +339,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -464,32 +464,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -595,19 +595,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -624,6 +612,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 2023-10-17 02:00:00.000000000 +0200
@@ -91,7 +91,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 281 rules | Group
@@ -158,16 +158,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -345,28 +345,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -470,32 +470,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -601,19 +601,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -630,6 +618,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 68 groups and 240 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -185,20 +185,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -469,19 +469,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -495,6 +483,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -504,27 +504,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-On Red Hat Enterprise Linux 8, env_reset is enabled by default
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+On Red Hat Enterprise Linux 8, env_reset is enabled by default
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 70 groups and 314 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -185,20 +185,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -296,24 +296,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -433,35 +433,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-230263r902716_rule | | |
| Rule
- Configure AIDE to Verify Access Control Lists (ACLs)
- [ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
-If using a custom ruleset or the acl option is missing, add acl
-to the appropriate ruleset.
-For example, add acl to the following line in /etc/aide.conf :
- FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already
-configured by default.
-
-The remediation provided with this rule adds acl to all rule sets available in
- /etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
-verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SV-230552r880724_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 55 groups and 169 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -185,20 +185,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -451,19 +451,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -477,6 +465,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -486,27 +486,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-On Red Hat Enterprise Linux 8, env_reset is enabled by default
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+On Red Hat Enterprise Linux 8, env_reset is enabled by default
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 26 groups and 47 rules | Group
@@ -111,22 +111,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SV-230272r854027_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -174,22 +174,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SV-230271r854026_rule | | |
| Group
Updating Software
Group contains 9 rules | [ref]
@@ -253,13 +253,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "dnf-automatic" ; then
- yum install -y "dnf-automatic"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dnf-automatic
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -270,6 +264,12 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dnf-automatic
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "dnf-automatic" ; then
+ yum install -y "dnf-automatic"
+fi
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,24 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 118 groups and 359 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -475,25 +475,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -538,6 +520,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -547,11 +547,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 105 groups and 283 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -475,25 +475,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -538,6 +520,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -547,11 +547,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 98 groups and 276 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -475,25 +475,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -538,6 +520,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -547,11 +547,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 113 groups and 355 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -475,25 +475,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -538,6 +520,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -547,11 +547,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | Group
@@ -145,16 +145,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -331,32 +331,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -459,19 +459,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -488,6 +476,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -509,20 +509,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -620,24 +620,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -145,19 +145,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -174,6 +162,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -210,19 +210,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -302,33 +302,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SV-230223r877398_rule | | |
| Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -463,13 +463,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -480,6 +474,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -551,25 +551,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | Group
@@ -147,16 +147,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -328,28 +328,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -450,32 +450,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -616,25 +616,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -679,6 +661,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -83,7 +83,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | Group
@@ -150,16 +150,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -336,32 +336,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -502,25 +502,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -565,6 +547,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -574,11 +574,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -687,69 +687,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | Group
@@ -151,16 +151,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -332,28 +332,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -454,32 +454,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -582,19 +582,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -611,6 +599,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
@@ -81,7 +81,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -136,19 +136,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -165,6 +153,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -201,19 +201,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -293,33 +293,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SV-230223r877398_rule | | |
| Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -454,13 +454,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -471,6 +465,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -542,25 +542,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,32 +327,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -455,19 +455,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -484,6 +472,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -505,20 +505,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -616,24 +616,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | Group
@@ -132,19 +132,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -161,6 +149,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -222,25 +222,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -285,6 +267,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -294,11 +294,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | | |
| Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -435,35 +435,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3, SV-230264r880711_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -528,9 +528,7 @@
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 33 groups and 79 rules | Group
@@ -143,16 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,32 +329,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -520,25 +520,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -583,6 +565,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -592,10 +592,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, SV-230223r877398_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -624,18 +624,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014, SV-230223r877398_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 106 groups and 403 rules | Group
@@ -140,19 +140,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -169,6 +157,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -190,20 +190,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -300,68 +300,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 400 rules | Group
@@ -146,19 +146,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -175,6 +163,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -196,20 +196,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -306,68 +306,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 67 groups and 235 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -425,19 +425,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- dnf install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -451,6 +439,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ dnf install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -459,27 +459,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ [ref] | The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
+reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 69 groups and 313 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -291,24 +291,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -428,35 +428,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
- Configure AIDE to Verify Access Control Lists (ACLs)
- [ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
-If using a custom ruleset or the acl option is missing, add acl
-to the appropriate ruleset.
-For example, add acl to the following line in /etc/aide.conf :
- FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already
-configured by default.
-
-The remediation provided with this rule adds acl to all rule sets available in
- /etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
-verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 55 groups and 166 rules | Group
@@ -135,19 +135,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -163,6 +151,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -407,19 +407,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- dnf install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -433,6 +421,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ dnf install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -441,27 +441,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ [ref] | The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
+reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 26 groups and 47 rules | Group
@@ -111,22 +111,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Updating Software
Group contains 9 rules | [ref]
@@ -247,13 +247,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "dnf-automatic" ; then
- dnf install -y "dnf-automatic"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dnf-automatic
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -264,6 +258,12 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dnf-automatic
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "dnf-automatic" ; then
+ dnf install -y "dnf-automatic"
+fi
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -355,35 +355,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.2 | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | dnf should be configured to verify the signature(s) of local packages
-prior to installation. To configure dnf to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DNS Server
- FTP Server
- IMAP and POP3 Server
- Network Time Protocol
- Obsolete Services
- Proxy Server
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 67 groups and 140 rules | Group
@@ -160,25 +160,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -221,6 +203,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -230,11 +230,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -352,69 +352,7 @@
After the settings have been set, run dconf update . | Rationale: | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | |
| Group
- GNOME Media Settings
- Group contains 3 rules | [ref]
- GNOME media settings that apply to the graphical interface. | Rule
- Disable GNOME3 Automounting
- [ref] | The system's default desktop environment, GNOME3, will mount
-devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-they are inserted into the system. To disable automount within GNOME3, add or set
- automount to false in /etc/dconf/db/local.d/00-security-settings .
-For example:
- [org/gnome/desktop/media-handling]
-automount=false
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/desktop/media-handling/automount
-After the settings have been set, run dconf update . | Rationale: | Disabling automatic mounting in GNOME3 can prevent
-the introduction of malware via removable media.
-It will, however, also prevent desktop users from legitimate use
-of removable media. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount | Identifiers and References | References:
- 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 1.8.7 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 39 groups and 89 rules | Group
@@ -160,25 +160,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -221,6 +203,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -230,11 +230,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
GNOME Desktop Environment
Group contains 1 rule | [ref]
@@ -277,15 +277,7 @@
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | Identifiers and References | References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, 1.8.2 | | |
| Group
Sudo
Group contains 2 rules | [ref]
@@ -334,37 +334,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | Identifiers and References | References:
- 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, 5.3.4 | | |
| Rule
Require Re-Authentication When Using the sudo Command
[ref] | The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
@@ -445,46 +445,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication | Identifiers and References | References:
- CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.5, 5.3.6 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DNS Server
- FTP Server
- IMAP and POP3 Server
- Network Time Protocol
- Obsolete Services
- Proxy Server
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 127 rules | Group
@@ -160,25 +160,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -221,6 +203,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -230,11 +230,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
GNOME Desktop Environment
Group contains 3 groups and 7 rules | [ref]
@@ -294,69 +294,7 @@
After the settings have been set, run dconf update . | Rationale: | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | |
| Group
- GNOME Media Settings
- Group contains 3 rules | [ref]
- GNOME media settings that apply to the graphical interface. | Rule
- Disable GNOME3 Automounting
- [ref] | The system's default desktop environment, GNOME3, will mount
-devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-they are inserted into the system. To disable automount within GNOME3, add or set
- automount to false in /etc/dconf/db/local.d/00-security-settings .
-For example:
- [org/gnome/desktop/media-handling]
-automount=false
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/desktop/media-handling/automount
-After the settings have been set, run dconf update . | Rationale: | Disabling automatic mounting in GNOME3 can prevent
-the introduction of malware via removable media.
-It will, however, also prevent desktop users from legitimate use
-of removable media. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount | Identifiers and References | References:
- 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 1.8.7 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 112 groups and 355 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -162,6 +150,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -289,68 +289,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 96 groups and 270 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -162,6 +150,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -289,68 +289,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 91 groups and 266 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -162,6 +150,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -289,68 +289,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 105 groups and 349 rules | Group
@@ -134,19 +134,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -162,6 +150,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,20 +183,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -289,68 +289,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | Group
@@ -147,19 +147,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223 | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -236,33 +236,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 4 rules | [ref]
@@ -393,13 +393,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- dnf install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -410,6 +404,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ dnf install -y "crypto-policies"
+fi
|
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -456,25 +456,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS:OSPP
tags:
@@ -517,6 +499,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS:OSPP'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -527,37 +527,7 @@
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | Group
@@ -147,16 +147,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -328,28 +328,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -450,32 +450,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -616,25 +616,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -677,6 +659,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -83,7 +83,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | Group
@@ -150,16 +150,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -336,32 +336,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -502,25 +502,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -563,6 +545,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -572,11 +572,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -684,69 +684,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | Group
@@ -151,16 +151,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -332,28 +332,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -454,32 +454,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -582,19 +582,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -610,6 +598,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
@@ -80,7 +80,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | Group
@@ -137,19 +137,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223 | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -226,33 +226,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 4 rules | [ref]
@@ -383,13 +383,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- dnf install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -400,6 +394,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ dnf install -y "crypto-policies"
+fi
|
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -446,25 +446,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS:OSPP
tags:
@@ -507,6 +489,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS:OSPP'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -517,37 +517,7 @@
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,32 +327,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -455,19 +455,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -483,6 +471,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,20 +504,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -611,24 +611,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 115 groups and 492 rules | Group
@@ -141,19 +141,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -169,6 +157,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -190,68 +190,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -343,24 +343,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 113 groups and 489 rules | Group
@@ -147,19 +147,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -175,6 +163,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -196,68 +196,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -349,24 +349,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:39
- cpe:/o:fedoraproject:fedora:40
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Fedora
Group contains 93 groups and 272 rules | Group
@@ -172,25 +172,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -233,6 +215,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure GnuTLS library to use DoD-approved TLS Encryption
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -245,29 +245,7 @@
+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 | Rationale: | Overriding the system crypto policy makes the behavior of the GnuTLS
library violate expectations, and makes system configuration more
fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy | Identifiers and References | References:
- CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -349,10 +349,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -380,18 +380,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -420,37 +420,7 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, 2.2, SRG-OS-000250-GPOS-00093 | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:39
- cpe:/o:fedoraproject:fedora:40
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- Network Time Protocol
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Fedora
Group contains 62 groups and 206 rules | Group
@@ -139,16 +139,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -331,33 +331,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -541,25 +541,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -602,6 +584,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -611,10 +611,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -642,18 +642,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014 | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:39
- cpe:/o:fedoraproject:fedora:40
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Fedora
Group contains 47 groups and 121 rules | Group
@@ -132,16 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -318,32 +318,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -446,19 +446,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -474,6 +462,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,20 +495,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -602,24 +602,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:39
- cpe:/o:fedoraproject:fedora:40
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Fedora
Group contains 39 groups and 76 rules | Group
@@ -133,16 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -319,32 +319,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -452,20 +452,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -623,25 +623,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -684,6 +666,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 69 groups and 227 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,20 +176,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r880693_rule | | |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -306,21 +306,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips-aesni_installed | Identifiers and References | References:
- BP28(R1), 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223 | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -526,19 +526,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -552,6 +540,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -560,27 +560,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 70 groups and 281 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,20 +176,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r880693_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,24 +287,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r902773_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -429,35 +429,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020040, SV-221709r902776_rule | | |
| Rule
- Configure AIDE to Verify Access Control Lists (ACLs)
- [ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
-If using a custom ruleset or the acl option is missing, add acl
-to the appropriate ruleset.
-For example, add acl to the following line in /etc/aide.conf :
- FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already
-configured by default.
-
-The remediation provided with this rule adds acl to all rule sets available in
- /etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
-verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, OL07-00-021600, SV-221759r880695_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 55 groups and 160 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,20 +176,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r880693_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -406,19 +406,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -432,6 +420,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -440,27 +440,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 26 groups and 42 rules | Group
@@ -102,22 +102,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL07-00-010350, SV-228569r853731_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL07-00-010340, SV-221692r860860_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL07-00-010340, SV-221692r860860_rule | |
| Group
Updating Software
Group contains 5 rules | [ref]
@@ -246,33 +246,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, OL07-00-020050, SV-221710r877463_rule | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, OL07-00-020060, SV-221711r877463_rule | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, OL07-00-020060, SV-221711r877463_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 47 groups and 102 rules | Group
@@ -136,16 +136,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -328,32 +328,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -459,19 +459,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -488,6 +476,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -509,20 +509,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r880693_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -620,24 +620,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r902773_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | Group
@@ -152,19 +152,7 @@
[[packages]]
name = "dracut-fips"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dracut-fips
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
@@ -188,6 +176,18 @@
- medium_severity
- no_reboot_needed
- package_dracut-fips_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dracut-fips
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if ! rpm -q --quiet "dracut-fips" ; then
+ yum install -y "dracut-fips"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
@@ -224,74 +224,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, OL07-00-021350, SV-221758r877398_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 46 groups and 93 rules | Group
@@ -138,16 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -325,28 +325,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -450,32 +450,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Sudo
Group contains 3 rules | [ref]
@@ -577,22 +577,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL07-00-010350, SV-228569r853731_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 54 groups and 142 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -333,32 +333,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -530,69 +530,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
- Require Encryption for Remote Access in GNOME3
- [ref] | By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
- require-encryption to true in
- /etc/dconf/db/local.d/00-security-settings . For example:
- [org/gnome/Vino]
-require-encryption=true
-
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/Vino/require-encryption
-After the settings have been set, run dconf update . | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 2023-10-17 02:00:00.000000000 +0200
@@ -91,7 +91,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 104 groups and 382 rules | Group
@@ -158,16 +158,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -350,32 +350,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -481,19 +481,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -510,6 +498,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -531,20 +531,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r880693_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -642,24 +642,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r902773_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | Group
@@ -143,19 +143,7 @@
[[packages]]
name = "dracut-fips"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dracut-fips
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
@@ -179,6 +167,18 @@
- medium_severity
- no_reboot_needed
- package_dracut-fips_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dracut-fips
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if ! rpm -q --quiet "dracut-fips" ; then
+ yum install -y "dracut-fips"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
@@ -215,74 +215,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, OL07-00-021350, SV-221758r877398_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 48 groups and 99 rules | Group
@@ -132,16 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -324,32 +324,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -455,19 +455,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -484,6 +472,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -505,20 +505,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r880693_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -616,24 +616,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r902773_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 10 groups and 9 rules | Group
@@ -105,13 +105,7 @@
[[packages]]
name = "glibc"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "glibc" ; then
- yum install -y "glibc"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=glibc
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure glibc is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure glibc is installed
package:
name: glibc
state: present
@@ -122,6 +116,12 @@
- medium_severity
- no_reboot_needed
- package_glibc_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=glibc
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "glibc" ; then
+ yum install -y "glibc"
+fi
|
| Rule
Package uuidd Installed
[ref] | The package uuidd is not installed on normal Linux distribution
@@ -145,13 +145,7 @@
[[packages]]
name = "uuidd"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "uuidd" ; then
- yum install -y "uuidd"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=uuidd
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure uuidd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure uuidd is installed
package:
name: uuidd
state: present
@@ -162,6 +156,12 @@
- medium_severity
- no_reboot_needed
- package_uuidd_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=uuidd
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "uuidd" ; then
+ yum install -y "uuidd"
+fi
|
| Rule
Only sidadm and orasid/oracle User Accounts Exist on Operating System
[ref] | SAP tends to use the server or virtual machine exclusively. There should be only
@@ -318,13 +318,7 @@
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Group
Services
Group contains 3 groups and 5 rules | [ref]
@@ -412,21 +412,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-# CAUTION: This remediation script will remove ypbind
-# from the system, and may remove any packages
-# that depend on ypbind. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-if rpm -q --quiet "ypbind" ; then
-
- yum remove -y "ypbind"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=ypbind
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Ensure ypbind is removed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Ensure ypbind is removed
package:
name: ypbind
state: absent
@@ -438,6 +424,20 @@
- no_reboot_needed
- package_ypbind_removed
- unknown_severity
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=ypbind
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+# CAUTION: This remediation script will remove ypbind
+# from the system, and may remove any packages
+# that depend on ypbind. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+if rpm -q --quiet "ypbind" ; then
+
+ yum remove -y "ypbind"
+
+fi
|
| Rule
Uninstall ypserv Package
[ref] | The ypserv package can be removed with the following command:
@@ -455,21 +455,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-# CAUTION: This remediation script will remove ypserv
-# from the system, and may remove any packages
-# that depend on ypserv. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-if rpm -q --quiet "ypserv" ; then
-
- yum remove -y "ypserv"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=ypserv
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Ensure ypserv is removed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Ensure ypserv is removed
package:
name: ypserv
state: absent
@@ -487,6 +473,20 @@
- low_disruption
- no_reboot_needed
- package_ypserv_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=ypserv
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+# CAUTION: This remediation script will remove ypserv
+# from the system, and may remove any packages
+# that depend on ypserv. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+if rpm -q --quiet "ypserv" ; then
+
+ yum remove -y "ypserv"
+
+fi
|
| Group
Rlogin, Rsh, and Rexec
Group contains 3 rules | [ref]
@@ -515,27 +515,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
disabled = ["rlogin"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'rlogin.service'
-"$SYSTEMCTL_EXEC" disable 'rlogin.service'
-"$SYSTEMCTL_EXEC" mask 'rlogin.service'
-# Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then
- "$SYSTEMCTL_EXEC" stop 'rlogin.socket'
- "$SYSTEMCTL_EXEC" mask 'rlogin.socket'
-fi
-# The service may not be running because it has been started and failed,
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 28 groups and 72 rules | Group
@@ -134,16 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -326,32 +326,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -515,33 +515,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, OL07-00-020050, SV-221710r877463_rule | | |
| Rule
Ensure Oracle Linux GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software
@@ -670,10 +670,7 @@
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | Identifiers and References | References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, OL07-00-020260, SV-221720r603260_rule | | |
| Group
Account and Access Control
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 103 groups and 286 rules | Group
@@ -133,16 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -320,28 +320,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -445,32 +445,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -576,19 +576,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -605,6 +593,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2023-10-17 02:00:00.000000000 +0200
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 7
Group contains 101 groups and 285 rules | Group
@@ -139,16 +139,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,28 +326,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -451,32 +451,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r880585_rule | | |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -582,19 +582,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -611,6 +599,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 68 groups and 239 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,20 +176,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -420,19 +420,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -446,6 +434,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -454,27 +454,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 69 groups and 292 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,20 +176,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,24 +287,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -424,35 +424,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r902806_rule | | |
| Rule
- Configure AIDE to Verify Access Control Lists (ACLs)
- [ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
-If using a custom ruleset or the acl option is missing, add acl
-to the appropriate ruleset.
-For example, add acl to the following line in /etc/aide.conf :
- FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already
-configured by default.
-
-The remediation provided with this rule adds acl to all rule sets available in
- /etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
-verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, OL08-00-040310, SV-248897r880561_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 55 groups and 169 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,20 +176,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -406,19 +406,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -432,6 +420,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -440,27 +440,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 26 groups and 47 rules | Group
@@ -102,22 +102,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010381, SV-248582r880551_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010380, SV-248581r860915_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010380, SV-248581r860915_rule | |
| Group
Updating Software
Group contains 9 rules | [ref]
@@ -242,13 +242,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "dnf-automatic" ; then
- yum install -y "dnf-automatic"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dnf-automatic
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -259,6 +253,12 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dnf-automatic
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "dnf-automatic" ; then
+ yum install -y "dnf-automatic"
+fi
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -268,7 +268,24 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2023-10-17 02:00:00.000000000 +0200
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 49 groups and 107 rules | Group
@@ -136,16 +136,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -322,32 +322,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -450,19 +450,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -479,6 +467,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -500,20 +500,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -611,24 +611,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 206 rules | Group
@@ -136,19 +136,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -165,6 +153,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -201,19 +201,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, OL08-00-010020, SV-248524r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -293,33 +293,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, OL08-00-010020, SV-248524r877398_rule | | |
| Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -454,13 +454,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -471,6 +465,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -522,25 +522,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r877398_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 48 groups and 95 rules | Group
@@ -138,16 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -319,28 +319,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,32 +441,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -587,25 +587,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r877398_rule | | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 54 groups and 141 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,32 +327,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -473,25 +473,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r877398_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -545,11 +545,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r877394_rule | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -658,69 +658,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 206 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -192,19 +192,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, OL08-00-010020, SV-248524r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -284,33 +284,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, OL08-00-010020, SV-248524r877398_rule | | |
| Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -445,13 +445,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -462,6 +456,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -513,25 +513,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r877398_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 50 groups and 125 rules | Group
@@ -132,16 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -318,32 +318,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -446,19 +446,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -475,6 +463,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -496,20 +496,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -607,24 +607,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 29 groups and 78 rules | Group
@@ -134,16 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,32 +320,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -491,25 +491,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r877398_rule | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -563,10 +563,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r877398_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -595,18 +595,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r877398_rule | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 106 groups and 408 rules | Group
@@ -121,19 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -150,6 +138,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -171,20 +171,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -281,68 +281,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r880559_rule | | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 8
Group contains 104 groups and 406 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -287,68 +287,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r880559_rule | | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 66 groups and 228 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -154,6 +142,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -388,19 +388,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -414,6 +402,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -422,27 +422,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ [ref] | The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
+reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 67 groups and 281 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -154,6 +142,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -419,35 +419,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
- Configure AIDE to Verify Access Control Lists (ACLs)
- [ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
-If using a custom ruleset or the acl option is missing, add acl
-to the appropriate ruleset.
-For example, add acl to the following line in /etc/aide.conf :
- FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already
-configured by default.
-
-The remediation provided with this rule adds acl to all rule sets available in
- /etc/aide.conf | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
-verified by the file integrity tools. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | Identifiers and References | References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 54 groups and 160 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -154,6 +142,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,20 +175,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -374,19 +374,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -400,6 +388,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -408,27 +408,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
- BP28(R58) | |
| Rule
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ [ref] | The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
+reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 25 groups and 45 rules | Group
@@ -102,22 +102,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Updating Software
Group contains 9 rules | [ref]
@@ -238,13 +238,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "dnf-automatic" ; then
- yum install -y "dnf-automatic"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dnf-automatic
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -255,6 +249,12 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dnf-automatic
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "dnf-automatic" ; then
+ yum install -y "dnf-automatic"
+fi
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -346,33 +346,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153 | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 61 groups and 185 rules | Group
@@ -136,19 +136,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -164,6 +152,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,19 +200,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223 | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -289,33 +289,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 7 rules | [ref]
@@ -446,13 +446,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -463,6 +457,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -514,25 +514,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 45 groups and 96 rules | Group
@@ -138,16 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -319,28 +319,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,32 +441,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -587,25 +587,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 52 groups and 135 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,32 +327,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -473,25 +473,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -543,11 +543,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093 | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -655,69 +655,7 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 61 groups and 185 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -154,6 +142,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -190,19 +190,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223 | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -279,33 +279,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 7 rules | [ref]
@@ -436,13 +436,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -453,6 +447,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -504,25 +504,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 49 groups and 123 rules | Group
@@ -132,16 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -318,32 +318,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -446,19 +446,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -474,6 +462,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,20 +495,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -602,24 +602,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 29 groups and 78 rules | Group
@@ -134,16 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,32 +320,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -491,25 +491,7 @@
submits to this process. | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -561,10 +561,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -592,18 +592,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 115 groups and 490 rules | Group
@@ -122,19 +122,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -150,6 +138,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -171,68 +171,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -324,24 +324,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Oracle Linux 9
Group contains 113 groups and 487 rules | Group
@@ -128,19 +128,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -177,68 +177,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -330,24 +330,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 50 groups and 156 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 51 groups and 200 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 37 groups and 92 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- Mail Server Software
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 11 groups and 8 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- File Permissions and Masks
- SELinux
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 23 groups and 51 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2023-10-17 02:00:00.000000000 +0200
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 242 rules | Group
@@ -572,7 +572,8 @@
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled | Identifiers and References | Identifiers:
CCE-82496-1 References:
- 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify that Interactive Boot is Disabled
[ref] | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
@@ -6667,7 +6667,7 @@
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled | Identifiers and References | References:
- 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_autofs_disabled | Identifiers and References | Identifiers:
CCE-82663-6 References:
- 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | |
| Rule
Disable Booting from USB Devices in Boot Firmware
[ref] | Configure the system boot firmware (historically called BIOS on PC
@@ -8264,7 +8264,7 @@
any direct remote access to the RHCOS nodes is unnecessary. Disabling
the SSHD service helps reduce the number of open ports on each host. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_service_sshd_disabled | Identifiers and References | Identifiers:
CCE-86189-8 References:
- CM-3(6), IA-2(4), SRG-APP-000185-CTR-000490, SRG-APP-000141-CTR-000315 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
@@ -572,7 +572,8 @@
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled | Identifiers and References | Identifiers:
CCE-82496-1 References:
- 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify that Interactive Boot is Disabled
[ref] | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
@@ -6667,7 +6667,7 @@
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled | Identifiers and References | References:
- 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_autofs_disabled | Identifiers and References | Identifiers:
CCE-82663-6 References:
- 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | |
| Rule
Disable Booting from USB Devices in Boot Firmware
[ref] | Configure the system boot firmware (historically called BIOS on PC
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2023-10-17 02:00:00.000000000 +0200
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
@@ -561,7 +561,8 @@
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled | Identifiers and References | Identifiers:
CCE-82496-1 References:
- 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify that Interactive Boot is Disabled
[ref] | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
@@ -6656,7 +6656,7 @@
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled | Identifiers and References | References:
- 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_service_autofs_disabled | Identifiers and References | Identifiers:
CCE-82663-6 References:
- 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | |
| Rule
Disable Booting from USB Devices in Boot Firmware
[ref] | Configure the system boot firmware (historically called BIOS on PC
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 29 groups and 107 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2023-10-17 02:00:00.000000000 +0200
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Base Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 234 rules | Group
@@ -131,19 +131,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -161,6 +149,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -184,24 +184,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -323,22 +323,7 @@
$ sudo /usr/sbin/prelink -ua | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | Identifiers and References | Identifiers:
CCE-27078-5 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, 1.5.4 | | |
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -520,15 +520,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | Identifiers and References | Identifiers:
CCE-81004-4 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, 1.7.2 | | |
| Group
Updating Software
Group contains 3 rules | [ref]
@@ -592,35 +592,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 69 groups and 233 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -157,6 +145,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -314,21 +314,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips-aesni_installed | Identifiers and References | Identifiers:
CCE-90778-2 References:
- BP28(R1), 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223 | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -587,19 +587,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -614,6 +602,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -624,27 +624,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 70 groups and 289 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -157,6 +145,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -443,35 +443,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | Identifiers:
CCE-80374-2 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020040, SV-204446r902701_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 55 groups and 160 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -157,6 +145,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -459,19 +459,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -486,6 +474,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -496,27 +496,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-On Red Hat Enterprise Linux 7, env_reset is enabled by default
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
- CCE-83809-4 References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+On Red Hat Enterprise Linux 7, env_reset is enabled by default
+This should be enabled by making sure that the ignore_dot tag exists in
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 26 groups and 42 rules | Group
@@ -103,22 +103,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-07-010350, SV-204430r853885_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
- CCE-80351-0 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-07-010340, SV-204429r861003_rule | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
+ CCE-80351-0 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-07-010340, SV-204429r861003_rule | |
| Group
Updating Software
Group contains 5 rules | [ref]
@@ -253,35 +253,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | Identifiers:
- CCE-80347-8 References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-07-020060, SV-204448r877463_rule | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 111 groups and 341 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -437,20 +437,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -489,6 +476,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -669,69 +669,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-07-010063, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 273 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -437,20 +437,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -489,6 +476,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -589,69 +589,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-07-010063, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 93 groups and 266 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -437,20 +437,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -489,6 +476,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -589,69 +589,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-07-010063, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 108 groups and 338 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -437,20 +437,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-if rpm -q --quiet "prelink" ; then
-
- yum remove -y "prelink"
-
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-package --remove=prelink
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -489,6 +476,19 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+package --remove=prelink
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+if rpm -q --quiet "prelink" ; then
+
+ yum remove -y "prelink"
+
+fi
|
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -669,69 +669,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-07-010063, 1.8.3, SV-256969r902690_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | Group
@@ -137,16 +137,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -336,32 +336,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -471,19 +471,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -501,6 +489,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -523,20 +523,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -639,24 +639,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | Group
@@ -153,19 +153,7 @@
[[packages]]
name = "dracut-fips"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dracut-fips
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
@@ -190,6 +178,18 @@
- medium_severity
- no_reboot_needed
- package_dracut-fips_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dracut-fips
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if ! rpm -q --quiet "dracut-fips" ; then
+ yum install -y "dracut-fips"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
@@ -227,74 +227,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, RHEL-07-021350, SV-204497r877398_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | Group
@@ -139,16 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -333,28 +333,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -462,32 +462,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Sudo
Group contains 3 rules | [ref]
@@ -593,22 +593,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-07-010350, SV-204430r853885_rule | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | Group
@@ -142,16 +142,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -341,32 +341,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -543,69 +543,7 @@
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | Identifiers:
CCE-80120-9 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
- Require Encryption for Remote Access in GNOME3
- [ref] | By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
- require-encryption to true in
- /etc/dconf/db/local.d/00-security-settings . For example:
- [org/gnome/Vino]
-require-encryption=true
-
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/Vino/require-encryption
-After the settings have been set, run dconf update . | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2023-10-17 02:00:00.000000000 +0200
@@ -92,7 +92,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | Group
@@ -160,16 +160,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -359,32 +359,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -494,19 +494,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -524,6 +512,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -546,20 +546,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -662,24 +662,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | Group
@@ -144,19 +144,7 @@
[[packages]]
name = "dracut-fips"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dracut-fips
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
@@ -181,6 +169,18 @@
- medium_severity
- no_reboot_needed
- package_dracut-fips_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dracut-fips
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if ! rpm -q --quiet "dracut-fips" ; then
+ yum install -y "dracut-fips"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
@@ -218,74 +218,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, RHEL-07-021350, SV-204497r877398_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -332,32 +332,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -467,19 +467,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -497,6 +485,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -519,20 +519,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -635,24 +635,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | Group
@@ -135,16 +135,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -329,28 +329,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -458,32 +458,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -593,19 +593,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -623,6 +611,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2023-10-17 02:00:00.000000000 +0200
@@ -90,7 +90,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | Group
@@ -158,16 +158,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -352,28 +352,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -481,32 +481,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -642,74 +642,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, RHEL-07-021350, SV-204497r877398_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | Group
@@ -124,19 +124,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -154,6 +142,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -276,35 +276,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -372,9 +372,7 @@
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled | Identifiers and References | Identifiers:
CCE-26876-3 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3 | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -456,34 +456,7 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-07-010019, 1.2.3, SV-256968r902687_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 32 groups and 74 rules | Group
@@ -135,16 +135,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -334,32 +334,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -537,35 +537,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -645,34 +645,7 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-07-010019, 1.2.3, SV-256968r902687_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 103 groups and 282 rules | Group
@@ -144,16 +144,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -338,28 +338,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -467,32 +467,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -602,19 +602,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -632,6 +620,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2023-10-17 02:00:00.000000000 +0200
@@ -82,7 +82,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 281 rules | Group
@@ -150,16 +150,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -344,28 +344,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -473,32 +473,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -608,19 +608,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -638,6 +626,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 68 groups and 240 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -157,6 +145,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -478,19 +478,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -505,6 +493,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -515,27 +515,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-On Red Hat Enterprise Linux 8, env_reset is enabled by default
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
- CCE-83810-2 References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+On Red Hat Enterprise Linux 8, env_reset is enabled by default
+This should be enabled by making sure that the ignore_dot tag exists in
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 70 groups and 314 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -157,6 +145,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -295,24 +295,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -438,35 +438,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | Identifiers:
CCE-82891-3 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r902716_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 55 groups and 169 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -157,6 +145,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Group
Disk Partitioning
Group contains 9 rules | [ref]
@@ -459,19 +459,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -486,6 +474,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -496,27 +496,7 @@
in /etc/sudoers.d/ . | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | |
| Rule
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
- [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-On Red Hat Enterprise Linux 8, env_reset is enabled by default
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | Identifiers and References | Identifiers:
- CCE-83810-2 References:
- BP28(R58) | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+On Red Hat Enterprise Linux 8, env_reset is enabled by default
+This should be enabled by making sure that the ignore_dot tag exists in
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 26 groups and 47 rules | Group
@@ -103,22 +103,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | Identifiers:
CCE-82202-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r854027_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -169,22 +169,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
CCE-82197-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010380, SV-230271r854026_rule | | |
| Group
Updating Software
Group contains 9 rules | [ref]
@@ -251,13 +251,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "dnf-automatic" ; then
- yum install -y "dnf-automatic"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dnf-automatic
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -269,6 +263,12 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dnf-automatic
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "dnf-automatic" ; then
+ yum install -y "dnf-automatic"
+fi
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | Identifiers and References | Identifiers:
CCE-82494-6 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
+ Configure dnf-automatic to Install Only Security Updates
+ [ref] | To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | Identifiers and References | Identifiers:
+ CCE-82267-6 References:
+ BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf . | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 118 groups and 359 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -480,25 +480,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -545,6 +527,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -555,11 +555,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 105 groups and 283 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -480,25 +480,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -545,6 +527,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -555,11 +555,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 98 groups and 276 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -480,25 +480,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -545,6 +527,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -555,11 +555,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 113 groups and 355 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -294,24 +294,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -480,25 +480,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -545,6 +527,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -555,11 +555,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | Group
@@ -137,16 +137,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,32 +330,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -462,19 +462,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -492,6 +480,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -514,20 +514,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -630,24 +630,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -137,19 +137,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -167,6 +155,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -204,19 +204,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -300,33 +300,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, RHEL-08-010020, SV-230223r877398_rule | | |
| Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -466,13 +466,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -484,6 +478,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -557,25 +557,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | Group
@@ -139,16 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -327,28 +327,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -453,32 +453,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -623,25 +623,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -688,6 +670,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | Group
@@ -142,16 +142,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -335,32 +335,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -505,25 +505,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -570,6 +552,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -580,11 +580,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -696,69 +696,7 @@
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | Identifiers:
CCE-80772-7 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | Group
@@ -143,16 +143,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -331,28 +331,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -457,32 +457,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -589,19 +589,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -619,6 +607,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
@@ -72,7 +72,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -128,19 +128,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -158,6 +146,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -195,19 +195,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -291,33 +291,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, RHEL-08-010020, SV-230223r877398_rule | | |
| Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -457,13 +457,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -475,6 +469,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
|
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -548,25 +548,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -326,32 +326,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -458,19 +458,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -488,6 +476,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -510,20 +510,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -626,24 +626,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | Group
@@ -124,19 +124,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -154,6 +142,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -216,25 +216,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -281,6 +263,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -291,11 +291,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | | |
| Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -438,35 +438,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | Identifiers:
CCE-80790-9 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, 1.2.3, SV-230264r880711_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -534,9 +534,7 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 33 groups and 79 rules | Group
@@ -135,16 +135,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -328,32 +328,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9
| |
| Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -524,25 +524,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -589,6 +571,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -599,10 +599,7 @@
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | Identifiers and References | Identifiers:
CCE-80936-8 References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r877398_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -633,18 +633,7 @@
service violate expectations, and makes system configuration more
fragmented. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | Identifiers and References | Identifiers:
CCE-80937-6 References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r877398_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 106 groups and 403 rules | Group
@@ -132,19 +132,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -162,6 +150,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,20 +184,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -299,68 +299,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 400 rules | Group
@@ -138,19 +138,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -168,6 +156,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -190,20 +190,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -305,68 +305,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 67 groups and 235 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -431,19 +431,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- dnf install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -458,6 +446,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ dnf install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -467,27 +467,7 @@
in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | Identifiers:
- CCE-83539-7 References:
- BP28(R58) | |
| Rule
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ [ref] | The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Kernel Configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 69 groups and 313 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,24 +290,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -433,35 +433,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | Identifiers and References | Identifiers:
CCE-90844-2 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 55 groups and 166 rules | Group
@@ -127,19 +127,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -156,6 +144,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,20 +178,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -412,19 +412,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- dnf install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=sudo
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -439,6 +427,18 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=sudo
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ dnf install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -448,27 +448,7 @@
in /etc/sudoers.d/ . | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | Identifiers and References | Identifiers:
- CCE-83539-7 References:
- BP28(R58) | |
| Rule
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ [ref] | The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 26 groups and 47 rules | Group
@@ -103,22 +103,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | Identifiers:
CCE-83544-7 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
- CCE-83536-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | Identifiers:
+ CCE-83536-3 References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Updating Software
Group contains 9 rules | [ref]
@@ -245,13 +245,7 @@
[[packages]]
name = "dnf-automatic"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "dnf-automatic" ; then
- dnf install -y "dnf-automatic"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=dnf-automatic
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -263,6 +257,12 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=dnf-automatic
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "dnf-automatic" ; then
+ dnf install -y "dnf-automatic"
+fi
|
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic , set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf . | Rationale: | Installing software updates is a fundamental mitigation against
@@ -357,35 +357,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | Identifiers:
CCE-83457-2 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.2 | | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | dnf should be configured to verify the signature(s) of local packages
-prior to installation. To configure dnf to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf .
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | Identifiers and References | Identifiers:
- CCE-83463-0 References:
- BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DNS Server
- FTP Server
- IMAP and POP3 Server
- Network Time Protocol
- Obsolete Services
- Proxy Server
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 67 groups and 140 rules | Group
@@ -152,25 +152,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -215,6 +197,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -225,11 +225,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-83445-7 References:
- A.5.SEC-RHEL6, A.11.SEC-RHEL6, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -350,69 +350,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-88285-2 References:
- A.11.SEC-RHEL9, CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | |
| Group
- GNOME Media Settings
- Group contains 3 rules | [ref]
- GNOME media settings that apply to the graphical interface. | Rule
- Disable GNOME3 Automounting
- [ref] | The system's default desktop environment, GNOME3, will mount
-devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-they are inserted into the system. To disable automount within GNOME3, add or set
- automount to false in /etc/dconf/db/local.d/00-security-settings .
-For example:
- [org/gnome/desktop/media-handling]
-automount=false
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/desktop/media-handling/automount
-After the settings have been set, run dconf update . | Rationale: | Disabling automatic mounting in GNOME3 can prevent
-the introduction of malware via removable media.
-It will, however, also prevent desktop users from legitimate use
-of removable media. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount | Identifiers and References | Identifiers:
- CCE-87734-0 References:
- A.11.SEC-RHEL12, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 1.8.7 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 39 groups and 89 rules | Group
@@ -152,25 +152,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -215,6 +197,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -225,11 +225,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-83445-7 References:
- A.5.SEC-RHEL6, A.11.SEC-RHEL6, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
GNOME Desktop Environment
Group contains 1 rule | [ref]
@@ -274,15 +274,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | Identifiers and References | Identifiers:
CCE-87295-2 References:
- A.11.SEC-RHEL4, 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, 1.8.2 | | |
| Group
Sudo
Group contains 2 rules | [ref]
@@ -334,37 +334,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | Identifiers and References | Identifiers:
CCE-83543-9 References:
- A.5.SEC-RHEL2, 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, 5.3.4 | | |
| Rule
Require Re-Authentication When Using the sudo Command
[ref] | The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
@@ -450,46 +450,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication | Identifiers and References | Identifiers:
CCE-90029-0 References:
- A.5.SEC-RHEL2, CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, 5.3.5, 5.3.6 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DNS Server
- FTP Server
- IMAP and POP3 Server
- Network Time Protocol
- Obsolete Services
- Proxy Server
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 127 rules | Group
@@ -152,25 +152,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
-Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -215,6 +197,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -225,11 +225,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-83445-7 References:
- A.5.SEC-RHEL6, A.11.SEC-RHEL6, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
GNOME Desktop Environment
Group contains 3 groups and 7 rules | [ref]
@@ -291,69 +291,7 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | Identifiers and References | Identifiers:
CCE-88285-2 References:
- A.11.SEC-RHEL9, CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | |
| Group
- GNOME Media Settings
- Group contains 3 rules | [ref]
- GNOME media settings that apply to the graphical interface. | Rule
- Disable GNOME3 Automounting
- [ref] | The system's default desktop environment, GNOME3, will mount
-devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-they are inserted into the system. To disable automount within GNOME3, add or set
- automount to false in /etc/dconf/db/local.d/00-security-settings .
-For example:
- [org/gnome/desktop/media-handling]
-automount=false
-Once the settings have been added, add a lock to
- /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
- /org/gnome/desktop/media-handling/automount
-After the settings have been set, run dconf update . | Rationale: | Disabling automatic mounting in GNOME3 can prevent
-the introduction of malware via removable media.
-It will, however, also prevent desktop users from legitimate use
-of removable media. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount | Identifiers and References | Identifiers:
- CCE-87734-0 References:
- A.11.SEC-RHEL12, 12, 16, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 3.1.7, CCI-000366, CCI-000778, CCI-001958, 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.AC-6, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 1.8.6, 1.8.7 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 112 groups and 355 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -288,68 +288,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 96 groups and 270 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -288,68 +288,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 91 groups and 266 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -288,68 +288,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 105 groups and 349 rules | Group
@@ -126,19 +126,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -155,6 +143,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,20 +177,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -288,68 +288,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | Group
@@ -139,19 +139,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223 | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -232,33 +232,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | Identifiers:
CCE-88742-2 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 4 rules | [ref]
@@ -394,13 +394,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- dnf install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -412,6 +406,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ dnf install -y "crypto-policies"
+fi
|
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -459,25 +459,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS:OSPP
tags:
@@ -522,6 +504,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS:OSPP'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -533,37 +533,7 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | Group
@@ -139,16 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -327,28 +327,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -453,32 +453,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -623,25 +623,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -686,6 +668,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2023-10-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | Group
@@ -142,16 +142,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -335,32 +335,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -505,25 +505,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -568,6 +550,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -578,11 +578,7 @@
in the /etc/sysconfig/sshd . | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | Identifiers and References | Identifiers:
CCE-83445-7 References:
- A.5.SEC-RHEL6, A.11.SEC-RHEL6, CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, 5.2.14 | | |
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -693,69 +693,7 @@
After the settings have been set, run dconf update . | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | Identifiers and References | Identifiers:
CCE-87524-5 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | Group
@@ -143,16 +143,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -331,28 +331,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -457,32 +457,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -589,19 +589,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -618,6 +606,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2023-10-17 02:00:00.000000000 +0200
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | Group
@@ -129,19 +129,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223 | | |
| Rule
Enable FIPS Mode
[ref] |
@@ -222,33 +222,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | Identifiers:
CCE-88742-2 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | |
| Group
System Cryptographic Policies
Group contains 4 rules | [ref]
@@ -384,13 +384,7 @@
[[packages]]
name = "crypto-policies"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-if ! rpm -q --quiet "crypto-policies" ; then
- dnf install -y "crypto-policies"
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=crypto-policies
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -402,6 +396,12 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=crypto-policies
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+if ! rpm -q --quiet "crypto-policies" ; then
+ dnf install -y "crypto-policies"
+fi
|
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -449,25 +449,7 @@
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
- Remediation Shell script ⇲
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | restrict |
---|
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS:OSPP
tags:
@@ -512,6 +494,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
Remediation Shell script ⇲
+var_system_crypto_policy='FIPS:OSPP'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
|
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -523,37 +523,7 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | Group
@@ -133,16 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -326,32 +326,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -458,19 +458,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -487,6 +475,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -509,20 +509,7 @@
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -621,24 +621,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 115 groups and 492 rules | Group
@@ -133,19 +133,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -162,6 +150,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -184,68 +184,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -342,24 +342,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 113 groups and 489 rules | Group
@@ -139,19 +139,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -168,6 +156,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -190,68 +190,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, 1.3.3 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -348,24 +348,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 45 groups and 116 rules | Group
@@ -132,16 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -318,32 +318,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -446,19 +446,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -474,6 +462,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,20 +495,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -602,24 +602,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 101 groups and 375 rules | Group
@@ -133,16 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -314,28 +314,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -436,32 +436,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -564,19 +564,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -592,6 +580,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2023-10-17 02:00:00.000000000 +0200
@@ -90,7 +90,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 49 groups and 144 rules | Group
@@ -157,16 +157,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -338,28 +338,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -460,32 +460,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -595,33 +595,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,16 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -333,32 +333,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -464,19 +464,7 @@
[[packages]]
name = "aide"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
-package --add=aide
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -493,6 +481,18 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Anaconda snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
+package --add=aide
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -514,20 +514,7 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -625,24 +625,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r902698_rule | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
ChecklistGroup
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 32 groups and 74 rules | Group
@@ -143,16 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -335,32 +335,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | Remediation Shell script ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
Remediation Ansible snippet ⇲Complexity: | high |
---|
Disruption: | medium |
---|
Strategy: | restrict |
---|
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule
| |
| Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -532,35 +532,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -637,34 +637,7 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, 1.2.3, SV-256968r902687_rule | Remediation Shell script ⇲# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
-readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
-readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
-
-# Location of the key we would like to import (once it's integrity verified)
-readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-
-RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
-
-# Verify /etc/pki/rpm-gpg directory permissions are safe
-if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
-then
- # If they are safe, try to obtain fingerprints from the key file
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -45,150 +45,136 @@
BP28(R1) |
- Remove tftp Daemon |
-
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
- |
-
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
- |
-
-
- BP28(R1) NT007(R03) |
- Uninstall the telnet server |
+ Uninstall rsh Package |
- The telnet daemon should be uninstalled.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall ypserv Package |
- The rsh-server package can be removed with the following command:
+ The ypserv package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase ypserv
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
BP28(R1) |
- Remove telnet Clients |
+ Remove NIS Client |
- The telnet client allows users to start connections to other systems via
-the telnet protocol.
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The telnet protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The ssh package provides an
-encrypted session and stronger security and is included in Oracle Linux 7.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
- BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1) NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
BP28(R1) |
- Remove NIS Client |
+ Ensure SMEP is not disabled during boot |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the nosmep boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument nosmep.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="nosmep"
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
|
BP28(R1) |
- Uninstall rsh Package |
+ Uninstall rsh-server Package |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The rsh-server package can be removed with the following command:
+
+$ sudo yum erase rsh-server
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,15 +44,56 @@
|
+ 3.1.1 3.1.5 |
+ Disable SSH Root Login |
+
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
+ |
+
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
+ |
+
+
+ 3.1.1 3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
3.1.1 3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -61,49 +102,35 @@
|
- 3.1.1 3.1.5 |
- Disable SSH Access via Empty Passwords |
+ 3.1.1 |
+ Disable GDM Guest Login |
- Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
3.1.1 3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -128,29 +155,28 @@
- 3.1.1 3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1 3.1.5 |
+ Disable SSH Access via Empty Passwords |
- To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Oracle Linux 7's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
@@ -171,58 +197,6 @@
- 3.1.1 3.1.5 |
- Prevent Login to Accounts With Empty Password |
-
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
- |
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,138 +44,125 @@
- AU-2(d) AU-12(c) CM-6(a) |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
- AC-2(g) AU-3 AU-10 AU-2(d) AU-12(c) AU-14(1) AC-6(9) CM-6(a) SI-4(23) |
- Enable auditd Service |
+ AU-2(d) AU-12(c) CM-6(a) |
+ Ensure auditd Collects File Deletion Events by User - rename |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d) AU-12(c) CM-6(a) |
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Record Events that Modify the System's Network Environment |
- The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, check the order of rules below in
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
- The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.
+ The network environment should not be modified by anything other
+than administrator action. Any change to network parameters should be
+audited.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Record Access Events to Audit Log Directory |
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module |
- The audit system should collect access events to read audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rule to
-/etc/audit/audit.rules file.
+ If the auditd daemon is configured to use the augenrules program
+to read audit rules during daemon startup (the default), add the following lines to a file
+with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
+loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ If the auditd daemon is configured to use the auditctl utility to read audit
+rules during daemon startup, add the following lines to /etc/audit/audit.rules file
+in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
|
- Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'
+ The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -45,20 +45,6 @@
|
AGD_PRE.1 AGD_OPE.1 |
- Install openscap-scanner Package |
-
- The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
- openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
- AGD_PRE.1 AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -78,25 +64,17 @@
|
- FAU_GEN.1 |
- Enable auditd Service |
+ AGD_PRE.1 AGD_OPE.1 |
+ Install openscap-scanner Package |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
|
@@ -122,173 +100,144 @@
FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Include Local Events in Audit Logs |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ If option local_events isn't set to yes only events from
+network will be aggregated.
|
FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable auditd Service |
- To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
- If option freq isn't set to , the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
FAU_GEN.1 |
- Include Local Events in Audit Logs |
+ Ensure the audit Subsystem is Installed |
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
+ The audit package should be installed.
|
- If option local_events isn't set to yes only events from
-network will be aggregated.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ Set number of records to cause an explicit flush to audit logs |
- The audit package should be installed.
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
- FAU_GEN.1.1.c |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ FAU_GEN.1 |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
FAU_GEN.1.1.c |
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
+ Ensure auditd Collects File Deletion Events by User - rename |
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -77,6 +77,20 @@
Req-1.3.1 Req-1.3.2 |
+ Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
+ |
+
+ Routing protocol daemons are typically used on routers to exchange
+network topology information with other routers. If this capability is used when
+not required, system network information may be unnecessarily transmitted across
+the network.
+ |
+
+
+ Req-1.3.1 Req-1.3.2 |
Ensure IPv6 is disabled through kernel boot parameter |
To disable IPv6 protocol support in the Linux kernel,
@@ -95,20 +109,6 @@
|
- Req-1.3.1 Req-1.3.2 |
- Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
- |
-
- Routing protocol daemons are typically used on routers to exchange
-network topology information with other routers. If this capability is used when
-not required, system network information may be unnecessarily transmitted across
-the network.
- |
-
-
Req-1.3.3 |
Deactivate Wireless Network Interfaces |
@@ -179,27 +179,6 @@
|
Req-1.4.2 |
- Disable DCCP Support |
-
- The Datagram Congestion Control Protocol (DCCP) is a
-relatively new transport layer protocol, designed to support
-streaming media and telephony.
-
-To configure the system to prevent the dccp
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
-install dccp /bin/true
-
-To configure the system to prevent the dccp from being used,
-add the following line to file /etc/modprobe.d/dccp.conf :
-blacklist dccp
- |
-
- Disabling DCCP protects
-the system against exploitation of any flaws in its implementation.
- |
-
-
- Req-1.4.2 |
Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
@@ -221,6 +200,27 @@
|
+ Req-1.4.2 |
+ Disable DCCP Support |
+
+ The Datagram Congestion Control Protocol (DCCP) is a
+relatively new transport layer protocol, designed to support
+streaming media and telephony.
+
+To configure the system to prevent the dccp
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
+install dccp /bin/true
+
+To configure the system to prevent the dccp from being used,
+add the following line to file /etc/modprobe.d/dccp.conf :
+blacklist dccp
+ |
+
+ Disabling DCCP protects
+the system against exploitation of any flaws in its implementation.
+ |
+
+
Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
@@ -237,6 +237,24 @@
|
Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
+
+ To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
+ |
+
+ Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+ |
+
+
+ Req-1.4.3 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
@@ -253,14 +271,17 @@
|
Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
|
@@ -278,35 +299,14 @@
Req-1.4.3 |
- Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
-
- To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
- |
-
- Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
- |
-
-
- Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
|
@@ -327,30 +327,6 @@
Req-2.2.2 |
- Uninstall telnet-server Package |
-
- The telnet-server package can be removed with the following command:
-
-$ sudo yum erase telnet-server
- |
-
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -45,150 +45,136 @@
|
BP28(R1) |
- Remove tftp Daemon |
-
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
- |
-
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
- |
-
-
- BP28(R1) NT007(R03) |
- Uninstall the telnet server |
+ Uninstall rsh Package |
- The telnet daemon should be uninstalled.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall ypserv Package |
- The rsh-server package can be removed with the following command:
+ The ypserv package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase ypserv
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
BP28(R1) |
- Remove telnet Clients |
+ Remove NIS Client |
- The telnet client allows users to start connections to other systems via
-the telnet protocol.
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The telnet protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The ssh package provides an
-encrypted session and stronger security and is included in Oracle Linux 8.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
- BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1) NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
BP28(R1) |
- Remove NIS Client |
+ Ensure SMEP is not disabled during boot |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the nosmep boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument nosmep.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="nosmep"
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
|
BP28(R1) |
- Uninstall rsh Package |
+ Uninstall rsh-server Package |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The rsh-server package can be removed with the following command:
+
+$ sudo yum erase rsh-server
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,15 +44,56 @@
|
+ 3.1.1 3.1.5 |
+ Disable SSH Root Login |
+
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
+ |
+
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
+ |
+
+
+ 3.1.1 3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
3.1.1 3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -61,49 +102,35 @@
|
- 3.1.1 3.1.5 |
- Disable SSH Access via Empty Passwords |
+ 3.1.1 |
+ Disable GDM Guest Login |
- Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
3.1.1 3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -128,29 +155,28 @@
- 3.1.1 3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1 3.1.5 |
+ Disable SSH Access via Empty Passwords |
- To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Oracle Linux 8's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
@@ -171,58 +197,6 @@
- 3.1.1 3.1.5 |
- Prevent Login to Accounts With Empty Password |
-
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
- |
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,138 +44,147 @@
- AU-2(d) AU-12(c) CM-6(a) |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ AU-2(a) |
+ Configure auditing of unsuccessful file accesses |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Ensure that unsuccessful attempts to access a file are audited.
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+The following rules configure audit as described above:
+## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Load new Audit rules into kernel by running:
+augenrules --load
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.
|
- AC-2(g) AU-3 AU-10 AU-2(d) AU-12(c) AU-14(1) AC-6(9) CM-6(a) SI-4(23) |
- Enable auditd Service |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
AU-2(d) AU-12(c) CM-6(a) |
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
+ Ensure auditd Collects File Deletion Events by User - rename |
- The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, check the order of rules below in
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
- The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Record Access Events to Audit Log Directory |
+ Record Events that Modify the System's Network Environment |
- The audit system should collect access events to read audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rule to
-/etc/audit/audit.rules file.
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
- Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'
+ The network environment should not be modified by anything other
+than administrator action. Any change to network parameters should be
+audited.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -77,6 +77,20 @@
Req-1.3.1 Req-1.3.2 |
+ Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
+ |
+
+ Routing protocol daemons are typically used on routers to exchange
+network topology information with other routers. If this capability is used when
+not required, system network information may be unnecessarily transmitted across
+the network.
+ |
+
+
+ Req-1.3.1 Req-1.3.2 |
Ensure IPv6 is disabled through kernel boot parameter |
To disable IPv6 protocol support in the Linux kernel,
@@ -95,20 +109,6 @@
|
- Req-1.3.1 Req-1.3.2 |
- Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
- |
-
- Routing protocol daemons are typically used on routers to exchange
-network topology information with other routers. If this capability is used when
-not required, system network information may be unnecessarily transmitted across
-the network.
- |
-
-
Req-1.3.3 |
Deactivate Wireless Network Interfaces |
@@ -179,27 +179,6 @@
|
Req-1.4.2 |
- Disable DCCP Support |
-
- The Datagram Congestion Control Protocol (DCCP) is a
-relatively new transport layer protocol, designed to support
-streaming media and telephony.
-
-To configure the system to prevent the dccp
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
-install dccp /bin/true
-
-To configure the system to prevent the dccp from being used,
-add the following line to file /etc/modprobe.d/dccp.conf :
-blacklist dccp
- |
-
- Disabling DCCP protects
-the system against exploitation of any flaws in its implementation.
- |
-
-
- Req-1.4.2 |
Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
@@ -221,6 +200,27 @@
|
+ Req-1.4.2 |
+ Disable DCCP Support |
+
+ The Datagram Congestion Control Protocol (DCCP) is a
+relatively new transport layer protocol, designed to support
+streaming media and telephony.
+
+To configure the system to prevent the dccp
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
+install dccp /bin/true
+
+To configure the system to prevent the dccp from being used,
+add the following line to file /etc/modprobe.d/dccp.conf :
+blacklist dccp
+ |
+
+ Disabling DCCP protects
+the system against exploitation of any flaws in its implementation.
+ |
+
+
Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
@@ -237,6 +237,24 @@
|
Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
+
+ To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
+ |
+
+ Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+ |
+
+
+ Req-1.4.3 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
@@ -253,14 +271,17 @@
|
Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
|
@@ -278,35 +299,14 @@
Req-1.4.3 |
- Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
-
- To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
- |
-
- Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
- |
-
-
- Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
|
@@ -331,34 +331,34 @@
Req-2.2 |
- Configure OpenSSL library to use System Crypto Policy |
+ Configure SSH to use System Crypto Policy |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
+SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,166 +44,147 @@
|
- AU-2(d) AU-12(c) CM-6(a) |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ AU-2(a) |
+ Configure auditing of unsuccessful file accesses |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Ensure that unsuccessful attempts to access a file are audited.
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+The following rules configure audit as described above:
+## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Load new Audit rules into kernel by running:
+augenrules --load
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.
|
- AC-2(g) AU-3 AU-10 AU-2(d) AU-12(c) AU-14(1) AC-6(9) CM-6(a) SI-4(23) |
- Enable auditd Service |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following manifest:
-
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
- labels:
- machineconfiguration.openshift.io/role: master
- name: 75-master-auditd-enable
-spec:
- config:
- ignition:
- version: 3.1.0
- systemd:
- units:
- - name: auditd.service
- enabled: true
-
-
-This will enable the auditd service in all the
-nodes labeled with the "master" role.
-
-
-Note that this needs to be done for each MachineConfigPool
-
-
-For more information on how to configure nodes with the Machine Config
-Operator see
-the relevant documentation.
-
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
AU-2(d) AU-12(c) CM-6(a) |
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
+ Ensure auditd Collects File Deletion Events by User - rename |
- The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, check the order of rules below in
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
- The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Record Access Events to Audit Log Directory |
+ Record Events that Modify the System's Network Environment |
- The audit system should collect access events to read audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -45,150 +45,136 @@
|
BP28(R1) |
- Remove tftp Daemon |
-
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
- |
-
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
- |
-
-
- BP28(R1) NT007(R03) |
- Uninstall the telnet server |
+ Uninstall rsh Package |
- The telnet daemon should be uninstalled.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall ypserv Package |
- The rsh-server package can be removed with the following command:
+ The ypserv package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase ypserv
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
BP28(R1) |
- Remove telnet Clients |
+ Remove NIS Client |
- The telnet client allows users to start connections to other systems via
-the telnet protocol.
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The telnet protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The ssh package provides an
-encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
- BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1) NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
BP28(R1) |
- Remove NIS Client |
+ Ensure SMEP is not disabled during boot |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the nosmep boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument nosmep.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="nosmep"
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
|
BP28(R1) |
- Uninstall rsh Package |
+ Uninstall rsh-server Package |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The rsh-server package can be removed with the following command:
+
+$ sudo yum erase rsh-server
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -115,6 +115,26 @@
|
1.1.1.3 |
+ Disable Mounting of jffs2 |
+
+
+To configure the system to prevent the jffs2
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf :
+install jffs2 /bin/true
+
+To configure the system to prevent the jffs2 from being used,
+add the following line to file /etc/modprobe.d/jffs2.conf :
+blacklist jffs2
+
+This effectively prevents usage of this uncommon filesystem.
+ |
+
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+ |
+
+
+ 1.1.1.3 |
Disable Mounting of udf |
@@ -140,26 +160,6 @@
|
- 1.1.1.3 |
- Disable Mounting of jffs2 |
-
-
-To configure the system to prevent the jffs2
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf :
-install jffs2 /bin/true
-
-To configure the system to prevent the jffs2 from being used,
-add the following line to file /etc/modprobe.d/jffs2.conf :
-blacklist jffs2
-
-This effectively prevents usage of this uncommon filesystem.
- |
-
- Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.
- |
-
-
1.1.1.4 |
Disable Mounting of hfs |
@@ -615,23 +615,6 @@
|
1.2.3 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
- To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
- Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- 1.2.3 |
Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software packages
@@ -661,6 +644,23 @@
|
1.2.3 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+ To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+ Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ 1.2.3 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -821,12 +821,12 @@
|
1.4.2 |
- Verify /boot/grub2/grub.cfg Permissions |
+ Verify the UEFI Boot Loader grub.cfg Permissions |
- File permissions for /boot/grub2/grub.cfg should be set to 600.
+ File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
-To properly set the permissions of /boot/grub2/grub.cfg , run the command:
-$ sudo chmod 600 /boot/grub2/grub.cfg
+To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg , run the command:
+$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
|
Proper permissions ensure that only the root user can modify important boot
@@ -835,28 +835,27 @@
|
1.4.2 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg , run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg , run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
1.4.2 |
- Verify /boot/grub2/user.cfg Permissions |
+ Verify /boot/efi/EFI/redhat/user.cfg Permissions |
- File permissions for /boot/grub2/user.cfg should be set to 600.
+ File permissions for /boot/efi/EFI/redhat/user.cfg should be set to 600.
-To properly set the permissions of /boot/grub2/user.cfg , run the command:
-$ sudo chmod 600 /boot/grub2/user.cfg
+To properly set the permissions of /boot/efi/EFI/redhat/user.cfg , run the command:
+$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg
|
Proper permissions ensure that only the root user can read or modify important boot
@@ -865,13 +864,27 @@
|
1.4.2 |
- Verify /boot/efi/EFI/redhat/user.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg Permissions |
- The file /boot/efi/EFI/redhat/user.cfg should be group-owned by the
-root group to prevent reading or modification of the file.
+ File permissions for /boot/grub2/grub.cfg should be set to 600.
-To properly set the group owner of /boot/efi/EFI/redhat/user.cfg , run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg
+To properly set the permissions of /boot/grub2/grub.cfg , run the command:
+$ sudo chmod 600 /boot/grub2/grub.cfg
+ |
+
+ Proper permissions ensure that only the root user can modify important boot
+parameters.
+ |
+
+
+ 1.4.2 |
+ Verify /boot/grub2/user.cfg Group Ownership |
+
+ The file /boot/grub2/user.cfg should be group-owned by the root
+group to prevent reading or modification of the file.
+
+To properly set the group owner of /boot/grub2/user.cfg , run the command:
+$ sudo chgrp root /boot/grub2/user.cfg
|
The root group is a highly-privileged group. Furthermore, the group-owner of this
@@ -881,44 +894,44 @@
|
1.4.2 |
- Verify /boot/grub2/user.cfg User Ownership |
+ Verify /boot/grub2/user.cfg Permissions |
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,15 +44,56 @@
|
+ 3.1.1 3.1.5 |
+ Disable SSH Root Login |
+
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
+ |
+
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
+ |
+
+
+ 3.1.1 3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
3.1.1 3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -61,49 +102,35 @@
|
- 3.1.1 3.1.5 |
- Disable SSH Access via Empty Passwords |
+ 3.1.1 |
+ Disable GDM Guest Login |
- Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
3.1.1 3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -128,29 +155,28 @@
- 3.1.1 3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1 3.1.5 |
+ Disable SSH Access via Empty Passwords |
- To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Red Hat Enterprise Linux 7's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
@@ -171,58 +197,6 @@
- 3.1.1 3.1.5 |
- Prevent Login to Accounts With Empty Password |
-
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
- |
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,138 +44,125 @@
- AU-2(d) AU-12(c) CM-6(a) |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
- AC-2(g) AU-3 AU-10 AU-2(d) AU-12(c) AU-14(1) AC-6(9) CM-6(a) SI-4(23) |
- Enable auditd Service |
+ AU-2(d) AU-12(c) CM-6(a) |
+ Ensure auditd Collects File Deletion Events by User - rename |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d) AU-12(c) CM-6(a) |
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Record Events that Modify the System's Network Environment |
- The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, check the order of rules below in
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
- The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.
+ The network environment should not be modified by anything other
+than administrator action. Any change to network parameters should be
+audited.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Record Access Events to Audit Log Directory |
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module |
- The audit system should collect access events to read audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rule to
-/etc/audit/audit.rules file.
+ If the auditd daemon is configured to use the augenrules program
+to read audit rules during daemon startup (the default), add the following lines to a file
+with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
+loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ If the auditd daemon is configured to use the auditctl utility to read audit
+rules during daemon startup, add the following lines to /etc/audit/audit.rules file
+in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+b64 as appropriate for your system:
+
+-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
|
- Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'
+ The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -45,20 +45,6 @@
|
AGD_PRE.1 AGD_OPE.1 |
- Install openscap-scanner Package |
-
- The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
- openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
- AGD_PRE.1 AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -78,35 +64,17 @@
|
- FAU_GEN.1 |
- Enable auditd Service |
-
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
- |
-
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
- |
-
-
- FAU_GEN.1 |
- Ensure the audit-libs package as a part of audit Subsystem is Installed |
+ AGD_PRE.1 AGD_OPE.1 |
+ Install openscap-scanner Package |
- The audit-libs package should be installed.
+ The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
|
@@ -132,50 +100,47 @@
FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Include Local Events in Audit Logs |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ If option local_events isn't set to yes only events from
+network will be aggregated.
|
FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable auditd Service |
- To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
- If option freq isn't set to , the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
FAU_GEN.1 |
- Include Local Events in Audit Logs |
+ Ensure the audit-libs package as a part of audit Subsystem is Installed |
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
+ The audit-libs package should be installed.
|
- If option local_events isn't set to yes only events from
-network will be aggregated.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
@@ -189,116 +154,100 @@
- FAU_GEN.1.1.c |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ FAU_GEN.1 |
+ Set number of records to cause an explicit flush to audit logs |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
+ |
+
+
+ FAU_GEN.1 |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ |
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -77,6 +77,20 @@
Req-1.3.1 Req-1.3.2 |
+ Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
+ |
+
+ Routing protocol daemons are typically used on routers to exchange
+network topology information with other routers. If this capability is used when
+not required, system network information may be unnecessarily transmitted across
+the network.
+ |
+
+
+ Req-1.3.1 Req-1.3.2 |
Ensure IPv6 is disabled through kernel boot parameter |
To disable IPv6 protocol support in the Linux kernel,
@@ -95,20 +109,6 @@
|
- Req-1.3.1 Req-1.3.2 |
- Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
- |
-
- Routing protocol daemons are typically used on routers to exchange
-network topology information with other routers. If this capability is used when
-not required, system network information may be unnecessarily transmitted across
-the network.
- |
-
-
Req-1.3.3 |
Deactivate Wireless Network Interfaces |
@@ -179,27 +179,6 @@
|
Req-1.4.2 |
- Disable DCCP Support |
-
- The Datagram Congestion Control Protocol (DCCP) is a
-relatively new transport layer protocol, designed to support
-streaming media and telephony.
-
-To configure the system to prevent the dccp
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
-install dccp /bin/true
-
-To configure the system to prevent the dccp from being used,
-add the following line to file /etc/modprobe.d/dccp.conf :
-blacklist dccp
- |
-
- Disabling DCCP protects
-the system against exploitation of any flaws in its implementation.
- |
-
-
- Req-1.4.2 |
Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
@@ -221,6 +200,27 @@
|
+ Req-1.4.2 |
+ Disable DCCP Support |
+
+ The Datagram Congestion Control Protocol (DCCP) is a
+relatively new transport layer protocol, designed to support
+streaming media and telephony.
+
+To configure the system to prevent the dccp
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
+install dccp /bin/true
+
+To configure the system to prevent the dccp from being used,
+add the following line to file /etc/modprobe.d/dccp.conf :
+blacklist dccp
+ |
+
+ Disabling DCCP protects
+the system against exploitation of any flaws in its implementation.
+ |
+
+
Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
@@ -237,6 +237,24 @@
|
Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
+
+ To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
+ |
+
+ Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+ |
+
+
+ Req-1.4.3 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
@@ -253,14 +271,17 @@
|
Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
|
@@ -278,35 +299,14 @@
Req-1.4.3 |
- Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
-
- To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
- |
-
- Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
- |
-
-
- Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
|
@@ -327,30 +327,6 @@
Req-2.2.2 |
- Uninstall telnet-server Package |
-
- The telnet-server package can be removed with the following command:
-
-$ sudo yum erase telnet-server
- |
-
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -45,150 +45,136 @@
|
BP28(R1) |
- Remove tftp Daemon |
-
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
- |
-
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
- |
-
-
- BP28(R1) NT007(R03) |
- Uninstall the telnet server |
+ Uninstall rsh Package |
- The telnet daemon should be uninstalled.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall ypserv Package |
- The rsh-server package can be removed with the following command:
+ The ypserv package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase ypserv
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
BP28(R1) |
- Remove telnet Clients |
+ Remove NIS Client |
- The telnet client allows users to start connections to other systems via
-the telnet protocol.
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The telnet protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The ssh package provides an
-encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
- BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1) NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
BP28(R1) |
- Remove NIS Client |
+ Ensure SMEP is not disabled during boot |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the nosmep boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument nosmep.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="nosmep"
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
|
BP28(R1) |
- Uninstall rsh Package |
+ Uninstall rsh-server Package |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The rsh-server package can be removed with the following command:
+
+$ sudo yum erase rsh-server
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -70,51 +70,51 @@
|
1.1.1.2 |
- Disable Mounting of vFAT filesystems |
+ Disable Mounting of squashfs |
-To configure the system to prevent the vfat
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf :
-install vfat /bin/true
+To configure the system to prevent the squashfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf :
+install squashfs /bin/true
-To configure the system to prevent the vfat from being used,
-add the following line to file /etc/modprobe.d/vfat.conf :
-blacklist vfat
+To configure the system to prevent the squashfs from being used,
+add the following line to file /etc/modprobe.d/squashfs.conf :
+blacklist squashfs
This effectively prevents usage of this uncommon filesystem.
-The vFAT filesystem format is primarily used on older
-windows systems and portable USB drives or flash modules. It comes
-in three types FAT12, FAT16, and FAT32
-all of which are supported by the vfat kernel module.
+The squashfs filesystem type is a compressed read-only Linux
+filesystem embedded in small footprint systems (similar to
+cramfs). A squashfs image can be used without having
+to first decompress the image.
|
- Removing support for unneeded filesystems reduces the local attack
+ Removing support for unneeded filesystem types reduces the local attack
surface of the system.
|
1.1.1.2 |
- Disable Mounting of squashfs |
+ Disable Mounting of vFAT filesystems |
-To configure the system to prevent the squashfs
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf :
-install squashfs /bin/true
+To configure the system to prevent the vfat
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf :
+install vfat /bin/true
-To configure the system to prevent the squashfs from being used,
-add the following line to file /etc/modprobe.d/squashfs.conf :
-blacklist squashfs
+To configure the system to prevent the vfat from being used,
+add the following line to file /etc/modprobe.d/vfat.conf :
+blacklist vfat
This effectively prevents usage of this uncommon filesystem.
-The squashfs filesystem type is a compressed read-only Linux
-filesystem embedded in small footprint systems (similar to
-cramfs). A squashfs image can be used without having
-to first decompress the image.
+The vFAT filesystem format is primarily used on older
+windows systems and portable USB drives or flash modules. It comes
+in three types FAT12, FAT16, and FAT32
+all of which are supported by the vfat kernel module.
|
- Removing support for unneeded filesystem types reduces the local attack
+ Removing support for unneeded filesystems reduces the local attack
surface of the system.
|
@@ -708,25 +708,6 @@
1.2.2 |
- Disable Red Hat Network Service (rhnsd) |
-
- The Red Hat Network service automatically queries Red Hat Network
-servers to determine whether there are any actions that should be executed,
-such as package updates. This only occurs if the system was registered to an
-RHN server or satellite and managed as such.
-
-The rhnsd service can be disabled with the following command:
-$ sudo systemctl mask --now rhnsd.service
- |
-
- Although systems management and patching is extremely important to
-system security, management by a system outside the enterprise enclave is not
-desirable for some environments. However, if the system is being managed by RHN or
- RHN Satellite Server the rhnsd daemon can remain on.
- |
-
-
- 1.2.2 |
Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software packages
@@ -755,19 +736,22 @@
|
- 1.2.3 |
- Enable authselect |
+ 1.2.2 |
+ Disable Red Hat Network Service (rhnsd) |
- Configure user authentication setup to use the authselect tool.
-If authselect profile is selected, the rule will enable the minimal profile.
+ The Red Hat Network service automatically queries Red Hat Network
+servers to determine whether there are any actions that should be executed,
+such as package updates. This only occurs if the system was registered to an
+RHN server or satellite and managed as such.
+
+The rhnsd service can be disabled with the following command:
+$ sudo systemctl mask --now rhnsd.service
|
- Authselect is a successor to authconfig.
-It is a tool to select system authentication and identity sources from a list of supported
-profiles instead of letting the administrator manually build the PAM stack.
-
-That way, it avoids potential breakage of configuration, as it ships several tested profiles
-that are well tested and supported to solve different use-cases.
+ Although systems management and patching is extremely important to
+system security, management by a system outside the enterprise enclave is not
+desirable for some environments. However, if the system is being managed by RHN or
+ RHN Satellite Server the rhnsd daemon can remain on.
|
@@ -799,6 +783,22 @@
+ 1.2.3 |
+ Enable authselect |
+
+ Configure user authentication setup to use the authselect tool.
+If authselect profile is selected, the rule will enable the minimal profile.
+ |
+
+ Authselect is a successor to authconfig.
+It is a tool to select system authentication and identity sources from a list of supported
+profiles instead of letting the administrator manually build the PAM stack.
+
+That way, it avoids potential breakage of configuration, as it ships several tested profiles
+that are well tested and supported to solve different use-cases.
+ |
+
+
1.3.1 |
Install AIDE |
@@ -913,12 +913,12 @@
|
1.4.2 |
- Verify /boot/grub2/grub.cfg Permissions |
+ Verify the UEFI Boot Loader grub.cfg Permissions |
- File permissions for /boot/grub2/grub.cfg should be set to 600.
+ File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
-To properly set the permissions of /boot/grub2/grub.cfg , run the command:
-$ sudo chmod 600 /boot/grub2/grub.cfg
+To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg , run the command:
+$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
|
Proper permissions ensure that only the root user can modify important boot
@@ -927,28 +927,27 @@
|
1.4.2 |
- Verify /boot/grub2/grub.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg , run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg , run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,15 +44,56 @@
+ 3.1.1 3.1.5 |
+ Disable SSH Root Login |
+
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
+ |
+
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
+ |
+
+
+ 3.1.1 3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
3.1.1 3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -61,49 +102,35 @@
|
- 3.1.1 3.1.5 |
- Disable SSH Access via Empty Passwords |
+ 3.1.1 |
+ Disable GDM Guest Login |
- Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
-PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
3.1.1 3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -128,29 +155,28 @@
- 3.1.1 3.1.6 |
- Direct root Logins Not Allowed |
+ 3.1.1 3.1.5 |
+ Disable SSH Access via Empty Passwords |
- To further limit access to the root account, administrators
-can disable root logins at the console by editing the /etc/securetty file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Red Hat Enterprise Linux 8's
-/etc/securetty file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-
-$ sudo echo > /etc/securetty
-
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
|
@@ -171,58 +197,6 @@
- 3.1.1 3.1.5 |
- Prevent Login to Accounts With Empty Password |
-
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
- |
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -44,138 +44,147 @@
- AU-2(d) AU-12(c) CM-6(a) |
- Record Unsuccessful Access Attempts to Files - ftruncate |
+ AU-2(a) |
+ Configure auditing of unsuccessful file accesses |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Ensure that unsuccessful attempts to access a file are audited.
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+The following rules configure audit as described above:
+## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Load new Audit rules into kernel by running:
+augenrules --load
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.
|
- AC-2(g) AU-3 AU-10 AU-2(d) AU-12(c) AU-14(1) AC-6(9) CM-6(a) SI-4(23) |
- Enable auditd Service |
+ AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
AU-2(d) AU-12(c) CM-6(a) |
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly |
+ Ensure auditd Collects File Deletion Events by User - rename |
- The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, check the order of rules below in
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
- The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Record Access Events to Audit Log Directory |
+ Record Events that Modify the System's Network Environment |
- The audit system should collect access events to read audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix .rules in the directory
-/etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rule to
-/etc/audit/audit.rules file.
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
|
- Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'
+ The network environment should not be modified by anything other
+than administrator action. Any change to network parameters should be
+audited.
|
AU-2(d) AU-12(c) AC-6(9) CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue |
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2023-10-17 02:00:00.000000000 +0200
@@ -77,6 +77,20 @@
Req-1.3.1 Req-1.3.2 |
+ Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
+ |
+
+ Routing protocol daemons are typically used on routers to exchange
+network topology information with other routers. If this capability is used when
+not required, system network information may be unnecessarily transmitted across
+the network.
+ |
+
+
+ Req-1.3.1 Req-1.3.2 |
Ensure IPv6 is disabled through kernel boot parameter |
To disable IPv6 protocol support in the Linux kernel,
@@ -95,20 +109,6 @@
|
- Req-1.3.1 Req-1.3.2 |
- Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0
- |
-
- Routing protocol daemons are typically used on routers to exchange
-network topology information with other routers. If this capability is used when
-not required, system network information may be unnecessarily transmitted across
-the network.
- |
-
-
Req-1.3.3 |
Deactivate Wireless Network Interfaces |
@@ -179,27 +179,6 @@
|
Req-1.4.2 |
- Disable DCCP Support |
-
- The Datagram Congestion Control Protocol (DCCP) is a
-relatively new transport layer protocol, designed to support
-streaming media and telephony.
-
-To configure the system to prevent the dccp
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
-install dccp /bin/true
-
-To configure the system to prevent the dccp from being used,
-add the following line to file /etc/modprobe.d/dccp.conf :
-blacklist dccp
- |
-
- Disabling DCCP protects
-the system against exploitation of any flaws in its implementation.
- |
-
-
- Req-1.4.2 |
Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
@@ -221,6 +200,27 @@
|
+ Req-1.4.2 |
+ Disable DCCP Support |
+
+ The Datagram Congestion Control Protocol (DCCP) is a
+relatively new transport layer protocol, designed to support
+streaming media and telephony.
+
+To configure the system to prevent the dccp
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
+install dccp /bin/true
+
+To configure the system to prevent the dccp from being used,
+add the following line to file /etc/modprobe.d/dccp.conf :
+blacklist dccp
+ |
+
+ Disabling DCCP protects
+the system against exploitation of any flaws in its implementation.
+ |
+
+
Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
@@ -237,6 +237,24 @@
|
Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
+
+ To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
+ |
+
+ Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+ |
+
+
+ Req-1.4.3 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
@@ -253,14 +271,17 @@
|
Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
|
@@ -278,35 +299,14 @@
Req-1.4.3 |
- Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
-
- To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
- |
-
- Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
- |
-
-
- Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
|
@@ -331,34 +331,34 @@
Req-2.2 |
- Configure OpenSSL library to use System Crypto Policy |
+ Configure SSH to use System Crypto Policy |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
+SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 7
+1DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V3R12.
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 8
+1DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R11.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -53,7 +53,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -106,20 +106,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -127,86 +145,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -227,250 +242,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -55,7 +55,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -108,20 +108,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -129,86 +147,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -229,250 +244,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,20 +51,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -72,86 +90,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -172,250 +187,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -81,7 +81,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -134,9 +134,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -144,15 +145,38 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -160,80 +184,77 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -242,16 +263,6 @@
-
-
-
-
-
-
-
-
-
-
@@ -270,200 +281,193 @@
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -83,7 +83,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -136,9 +136,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -146,15 +147,38 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -162,80 +186,77 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -244,16 +265,6 @@
-
-
-
-
-
-
-
-
-
-
@@ -272,200 +283,193 @@
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -51,9 +51,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -61,15 +62,38 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -77,80 +101,77 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -159,16 +180,6 @@
-
-
-
-
-
-
-
-
-
-
@@ -187,200 +198,193 @@
-
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -37,7 +37,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -90,9 +90,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -100,109 +101,101 @@
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -223,238 +216,246 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -39,7 +39,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -92,9 +92,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -102,109 +103,101 @@
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -225,238 +218,246 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -51,9 +51,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -61,109 +62,101 @@
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -184,238 +177,246 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -49,7 +49,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -97,15 +97,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -113,75 +119,76 @@
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -202,97 +209,71 @@
-
-
-
-
-
-
+
-
-
+
+
+
+
+
+
-
+
-
+
-
+
+
+
-
-
-
-
-
-
+
-
+
-
-
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -49,7 +49,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -97,15 +97,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -113,75 +119,76 @@
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -202,97 +209,71 @@
-
-
-
-
-
-
+
-
-
+
+
+
+
+
+
-
+
-
+
-
+
+
+
-
-
-
-
-
-
+
-
+
-
-
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,172 +7,166 @@
2023-10-17T00:00:00
-
- Install usbguard Package
-
- ocil:ssg-package_usbguard_installed_action:testaction:1
-
-
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Uninstall nfs-utils Package
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Specify UID and GID for Anonymous NFS Connections
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-nfs_no_anonymous_action:testaction:1
-
- Enable auditd Service
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Enable TCP/IP syncookie support
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Harden SSH client Crypto Policy
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Disable Host-Based Authentication
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Uninstall rsh Package
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Add nodev Option to /var/log/audit
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Ensure Software Patches Installed
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Verify that system commands files are group owned by root or a system account
+
+ Enable the USBGuard Service
- ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1
+ ocil:ssg-service_usbguard_enabled_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Disable GNOME3 Automounting
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-dconf_gnome_disable_automount_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Configure dnf-automatic to Install Only Security Updates
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -48,15 +48,21 @@
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -64,75 +70,76 @@
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -153,97 +160,71 @@
-
-
-
-
-
-
+
-
-
+
+
+
+
+
+
-
+
-
+
-
+
+
+
-
-
-
-
-
-
+
-
+
-
-
-
-
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -76,15 +76,32 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -92,65 +109,65 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
@@ -159,11 +176,6 @@
-
-
-
-
-
@@ -182,235 +194,223 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -35,7 +35,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -78,15 +78,32 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -94,65 +111,65 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
@@ -161,11 +178,6 @@
-
-
-
-
-
@@ -184,235 +196,223 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,196 +7,190 @@
2023-10-17T00:00:00
-
- Install usbguard Package
-
- ocil:ssg-package_usbguard_installed_action:testaction:1
-
-
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Uninstall nfs-utils Package
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Enable the unconfined_login SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sebool_unconfined_login_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Enable auditd Service
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Disable the xserver_object_manager SELinux Boolean
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sebool_xserver_object_manager_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Enable the unconfined_login SELinux Boolean
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sebool_unconfined_login_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Harden SSH client Crypto Policy
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Install the Asset Configuration Compliance Module (ACCM)
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-install_mcafee_hbss_accm_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Disable Host-Based Authentication
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Uninstall quagga Package
+
+ Uninstall rsh Package
- ocil:ssg-package_quagga_removed_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Add nodev Option to /var/log/audit
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Ensure Software Patches Installed
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- All Interactive Users Must Have A Home Directory Defined
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Use Kerberos Security on All Exports
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-use_kerberos_security_all_exports_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,15 +43,32 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -59,65 +76,65 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
@@ -126,11 +143,6 @@
-
-
-
-
-
@@ -149,235 +161,223 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -81,102 +81,123 @@
-
+
-
-
+
+
-
+
-
+
+
-
+
+
+
+
+
+
+
-
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
-
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -197,263 +218,237 @@
-
-
-
-
-
-
+
-
-
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -35,7 +35,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -83,102 +83,123 @@
-
+
-
-
+
+
-
+
-
+
+
-
+
+
+
+
+
+
+
-
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
-
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -199,263 +220,237 @@
-
-
-
-
-
-
+
-
-
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,208 +7,208 @@
2023-10-17T00:00:00
-
- Install usbguard Package
+
+ Uninstall nfs-utils Package
- ocil:ssg-package_usbguard_installed_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Configure auditing of unsuccessful file accesses
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-audit_access_failed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Enable the unconfined_login SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sebool_unconfined_login_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Enable auditd Service
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Disable the xserver_object_manager SELinux Boolean
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sebool_xserver_object_manager_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Enable the unconfined_login SELinux Boolean
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sebool_unconfined_login_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Harden SSH client Crypto Policy
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Install the Asset Configuration Compliance Module (ACCM)
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-install_mcafee_hbss_accm_action:testaction:1
-
- Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
+
+ Disable Host-Based Authentication
- ocil:ssg-configured_firewalld_default_deny_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Uninstall rsh Package
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Uninstall quagga Package
+
+ Add nodev Option to /var/log/audit
- ocil:ssg-package_quagga_removed_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Ensure Software Patches Installed
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Enable the USBGuard Service
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-service_usbguard_enabled_action:testaction:1
-
- All Interactive Users Must Have A Home Directory Defined
+
+ Configure auditd Disk Error Action on Disk Error
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -48,102 +48,123 @@
-
+
-
-
+
+
-
+
-
+
+
-
+
+
+
+
+
+
+
-
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
-
-
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -164,263 +185,237 @@
-
-
-
-
-
-
+
-
-
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -81,89 +81,90 @@
-
+
-
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -184,193 +185,192 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -35,7 +35,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -83,89 +83,90 @@
-
+
-
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -186,193 +187,192 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,178 +7,178 @@
2023-10-17T00:00:00
-
- Install usbguard Package
+
+ Uninstall nfs-utils Package
- ocil:ssg-package_usbguard_installed_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Configure auditing of unsuccessful file accesses
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-audit_access_failed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Enable auditd Service
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Enable TCP/IP syncookie support
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Harden SSH client Crypto Policy
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-configured_firewalld_default_deny_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Disable Host-Based Authentication
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Uninstall quagga Package
+
+ Uninstall rsh Package
- ocil:ssg-package_quagga_removed_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Add nodev Option to /var/log/audit
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Ensure Software Patches Installed
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- All Interactive Users Must Have A Home Directory Defined
+
+ Enable the USBGuard Service
- ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1
+ ocil:ssg-service_usbguard_enabled_action:testaction:1
-
- Use Kerberos Security on All Exports
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-use_kerberos_security_all_exports_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Verify that system commands files are group owned by root or a system account
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Configure dnf-automatic to Install Only Security Updates
/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -48,89 +48,90 @@
-
+
-
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
+
+
+
+
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -151,193 +152,192 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -81,161 +81,133 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -81,161 +81,133 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,130 +7,136 @@
2023-10-17T00:00:00
-
- Install usbguard Package
+
+ Configure auditing of unsuccessful file accesses
- ocil:ssg-package_usbguard_installed_action:testaction:1
+ ocil:ssg-audit_access_failed_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - fusermount
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-audit_rules_privileged_commands_fusermount_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Enable auditd Service
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Harden SSH client Crypto Policy
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Disable Host-Based Authentication
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Add nodev Option to /var/log/audit
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
-
+
+ Enable the USBGuard Service
+
+ ocil:ssg-service_usbguard_enabled_action:testaction:1
+
+
+
Configure auditd Disk Error Action on Disk Error
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Record Any Attempts to Run seunshare
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-audit_rules_execution_seunshare_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
+
+ Enable logrotate Timer
- ocil:ssg-partition_for_var_log_action:testaction:1
+ ocil:ssg-timer_logrotate_enabled_action:testaction:1
-
- Harden SSH client Crypto Policy
+
+ Enable SLUB/SLAB allocator poisoning in zIPL
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-zipl_slub_debug_argument_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Use Centralized and Automated Authentication
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Disable support for /proc/kkcore
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pkexec
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pkexec_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -48,161 +48,133 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -49,7 +49,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -92,20 +92,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -113,86 +131,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -213,250 +228,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -51,7 +51,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -94,20 +94,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -115,86 +133,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -215,250 +230,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,310 +7,262 @@
2023-10-17T00:00:00
-
- Install usbguard Package
-
- ocil:ssg-package_usbguard_installed_action:testaction:1
-
-
-
- Disable the zoneminder_run_sudo SELinux Boolean
-
- ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1
-
-
-
- Record Unsuccessful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
-
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
-
-
- Set Existing Passwords Warning Age
-
- ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1
-
-
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
-
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
-
-
-
- Ensure Home Directories are Created for New Users
-
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
-
-
-
- Ensure Chrony is only configured with the server directive
-
- ocil:ssg-chronyd_server_directive_action:testaction:1
-
-
-
- Add hidepid Option to /proc
+
+ Uninstall nfs-utils Package
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Enable auditd Service
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Disable the polipo_connect_all_unreserved SELinux Boolean
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1
-
- Disable the cdrecord_read_content SELinux Boolean
+
+ Enable the unconfined_login SELinux Boolean
- ocil:ssg-sebool_cdrecord_read_content_action:testaction:1
+ ocil:ssg-sebool_unconfined_login_action:testaction:1
-
- Disable the xserver_object_manager SELinux Boolean
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sebool_xserver_object_manager_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Enable the unconfined_login SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-sebool_unconfined_login_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Specify UID and GID for Anonymous NFS Connections
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-nfs_no_anonymous_action:testaction:1
-
- Ensure the audit-libs package as a part of audit Subsystem is Installed
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-package_audit-libs_installed_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure a Table Exists for Nftables
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-set_nftables_table_action:testaction:1
-
- Disable the httpd_dbus_avahi SELinux Boolean
+
+ Disable the openvpn_enable_homedirs SELinux Boolean
- ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1
+ ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1
-
- Disable the webadm_read_user_files SELinux Boolean
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sebool_webadm_read_user_files_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable the squid_connect_any SELinux Boolean
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sebool_squid_connect_any_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Harden SSH client Crypto Policy
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Disable the global_ssp SELinux Boolean
+
+ Disable the ftpd_full_access SELinux Boolean
- ocil:ssg-sebool_global_ssp_action:testaction:1
+ ocil:ssg-sebool_ftpd_full_access_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Disable the openshift_use_nfs SELinux Boolean
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -43,20 +43,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -64,86 +82,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -164,250 +179,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -120,9 +120,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -130,15 +131,38 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -146,80 +170,77 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -228,16 +249,6 @@
-
-
-
-
-
-
-
-
-
-
@@ -256,200 +267,193 @@
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -79,7 +79,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -122,9 +122,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -132,15 +133,38 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -148,80 +172,77 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -230,16 +251,6 @@
-
-
-
-
-
-
-
-
-
-
@@ -258,200 +269,193 @@
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,316 +7,280 @@
2023-10-17T00:00:00
-
- Install usbguard Package
-
- ocil:ssg-package_usbguard_installed_action:testaction:1
-
-
-
- Disable the zoneminder_run_sudo SELinux Boolean
-
- ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1
-
-
-
- Record Unsuccessful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
-
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
-
-
- Set Existing Passwords Warning Age
-
- ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1
-
-
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
-
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
-
-
-
- Ensure Home Directories are Created for New Users
+
+ Uninstall nfs-utils Package
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Configure auditing of unsuccessful file accesses
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_access_failed_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Enable auditd Service
+
+ Disable the polipo_connect_all_unreserved SELinux Boolean
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Enable the unconfined_login SELinux Boolean
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-sebool_unconfined_login_action:testaction:1
-
- Disable the cdrecord_read_content SELinux Boolean
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sebool_cdrecord_read_content_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Disable the xserver_object_manager SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-sebool_xserver_object_manager_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Enable the unconfined_login SELinux Boolean
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-sebool_unconfined_login_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Specify UID and GID for Anonymous NFS Connections
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-nfs_no_anonymous_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure a Table Exists for Nftables
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-set_nftables_table_action:testaction:1
-
- Disable the httpd_dbus_avahi SELinux Boolean
+
+ Disable the openvpn_enable_homedirs SELinux Boolean
- ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1
+ ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1
-
- Disable the webadm_read_user_files SELinux Boolean
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sebool_webadm_read_user_files_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable the squid_connect_any SELinux Boolean
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sebool_squid_connect_any_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Harden SSH client Crypto Policy
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Disable the global_ssp SELinux Boolean
+
+ Disable the ftpd_full_access SELinux Boolean
- ocil:ssg-sebool_global_ssp_action:testaction:1
+ ocil:ssg-sebool_ftpd_full_access_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Disable the openshift_use_nfs SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -43,9 +43,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -53,15 +54,38 @@
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -69,80 +93,77 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -151,16 +172,6 @@
-
-
-
-
-
-
-
-
-
-
@@ -179,200 +190,193 @@
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -76,9 +76,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -86,109 +87,101 @@
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -209,238 +202,246 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -35,7 +35,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -78,9 +78,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -88,109 +89,101 @@
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -211,238 +204,246 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,790 +7,784 @@
2023-10-17T00:00:00
-
- Install usbguard Package
-
- ocil:ssg-package_usbguard_installed_action:testaction:1
-
-
-
- Disable the zoneminder_run_sudo SELinux Boolean
+
+ Uninstall nfs-utils Package
- ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1
+ ocil:ssg-package_nfs-utils_removed_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Configure auditing of unsuccessful file accesses
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-audit_access_failed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Set Existing Passwords Warning Age
+
+ Disable the polipo_connect_all_unreserved SELinux Boolean
- ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1
+ ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Enable the unconfined_login SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sebool_unconfined_login_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Add nodev Option to Non-Root Local Partitions
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1
-
- Enable auditd Service
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Ensure a Table Exists for Nftables
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-set_nftables_table_action:testaction:1
-
- Disable the cdrecord_read_content SELinux Boolean
+
+ Disable the openvpn_enable_homedirs SELinux Boolean
- ocil:ssg-sebool_cdrecord_read_content_action:testaction:1
+ ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1
-
- Disable the xserver_object_manager SELinux Boolean
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sebool_xserver_object_manager_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Enable the unconfined_login SELinux Boolean
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sebool_unconfined_login_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Harden SSH client Crypto Policy
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Disable the ftpd_full_access SELinux Boolean
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-sebool_ftpd_full_access_action:testaction:1
-
- Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Disable the httpd_dbus_avahi SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
- ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1
-
- Disable the webadm_read_user_files SELinux Boolean
+
+ Uninstall setroubleshoot-server Package
- ocil:ssg-sebool_webadm_read_user_files_action:testaction:1
+ ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1
-
- Disable the squid_connect_any SELinux Boolean
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-sebool_squid_connect_any_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Disable Host-Based Authentication
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Disable the global_ssp SELinux Boolean
+
+ Uninstall rsh Package
- ocil:ssg-sebool_global_ssp_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -43,9 +43,10 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
@@ -53,109 +54,101 @@
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
+
-
-
-
+
+
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -176,238 +169,246 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -37,7 +37,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -80,15 +80,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -96,59 +102,53 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -157,170 +157,170 @@
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -37,7 +37,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -80,15 +80,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -96,59 +102,53 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -157,170 +157,170 @@
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,238 +7,226 @@
2023-10-17T00:00:00
-
- Install usbguard Package
-
- ocil:ssg-package_usbguard_installed_action:testaction:1
-
-
-
- Record Unsuccessful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Enable the unconfined_login SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sebool_unconfined_login_action:testaction:1
-
- Ensure Home Directories are Created for New Users
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Enable auditd Service
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable the xserver_object_manager SELinux Boolean
+
+ Enable TCP/IP syncookie support
- ocil:ssg-sebool_xserver_object_manager_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Enable the unconfined_login SELinux Boolean
+
+ Harden SSH client Crypto Policy
- ocil:ssg-sebool_unconfined_login_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Set PAM''s Password Hashing Algorithm
+
+ Force opensc To Use Defined Smart Card Driver
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-force_opensc_card_drivers_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Disable Host-Based Authentication
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Uninstall rsh Package
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure Software Patches Installed
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Require Authentication for Emergency Systemd Target
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-require_emergency_target_auth_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Ensure No Daemons are Unconfined by SELinux
+
+ Remove User Host-Based Authentication Files
- ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
+ ocil:ssg-no_user_host_based_files_action:testaction:1
-
- All Interactive Users Must Have A Home Directory Defined
+
+ Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1
+ ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
-
- Use Kerberos Security on All Exports
+
+ Verify Permissions on crontab
- ocil:ssg-use_kerberos_security_all_exports_action:testaction:1
+ ocil:ssg-file_permissions_crontab_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Use Centralized and Automated Authentication
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Enable the pcscd Service
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-service_pcscd_enabled_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,15 +43,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -59,59 +65,53 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -120,170 +120,170 @@
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -53,7 +53,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -106,20 +106,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -127,86 +145,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -227,250 +242,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -55,7 +55,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -108,20 +108,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -129,86 +147,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -229,250 +244,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,20 +51,38 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
-
+
@@ -72,86 +90,83 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
-
+
+
@@ -172,250 +187,241 @@
-
+
-
+
+
+
+
+
+
-
+
-
-
+
RPMS.2017/scap-security-guide-ubuntu-0.1.70-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.70-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-ubuntu-0.1.70-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.70-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -199,4 +199,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 0a750b41ed88dca8b8a3ac4d964cc1f96b7c13dff6d60ec295942d5bf6ae3a20 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 5a18a07e1c1bc79886267e3e144b67273844f80462a0dfe262beeb15473ae945 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html e524a58deafa8fa24f824c08b3b535215af26f7e096f68d6ae9f1a728a1e46db 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 16a8ed513efdcc96b752580210982d52a4e38f0022107cda8fa32ea0b90f69f1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html bdc33c1ddf14a5a4be080ebf7d8ac0dd634761da51725eff5b95582e5d0a522f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html c25cf3e822cecfb61481255264ba2e2207707c51e24b881561771186840b1b59 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 13201f4be2c52f11bbe83e1eb4a8b219d65ab58bd693622937b5b1c4c934c0d1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 6e1207b1b41c865f32a8dc795cb867e87f3a48af19c01a36456215204b7ada14 2
@@ -204,6 +204,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html d5413755dc1fbf8b42c319e376aff0bd454e4311aa549ec5ef0de4177648a19f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html eb04264ad3d0076bd79cead830a3aab485874c2595cafb9369480ad9c033191c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 8e22fefe2bfea9d7587636a513f6ccfd890095fa0db15381c140cdecf98880da 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 0e9b5eed35e49580cbc0b8f54ca4669337cd0f804faff50d18d74476b986bb61 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 8320c0c41b0f50feb08b7b2daa8370d9b167466b5b2050ee8ab151b66c221389 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html e7d4492be2273e8977383084d620add8e0e252baa158e34ac9d6a13dab50a464 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html ca5c698660e7498111e7d5136d193410d653e5d13758b3a03889d61ad9394c4a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html b1463aa022a6b9a449d60787deedc6740c00b6c9fc77a74cf699f49a15ddcb1d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html cce1ca0886286784460d7f6d587958105752c8e13b9dc980b3563d49c47d695a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 92a734b2f33b9ed8151e751e3d642fd72e64c328b2055df98c316a30d9666414 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 6d55802686226b4e6585f67051974958d073b534ce6fb82c45524015a2ad3b0d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html e1030a18e73a9ec7810be1c6f37fd41d1ccf096294019c62d4f546a128c5af2d 2
@@ -211,5 +211,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 3fae9e2d2c2be47dd3ede6a207998a717b33671f798f75ad5fea6d0e9d356b40 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 53d3f47c6d9b364867f56524aa3c48176b00b8987cac48a6ac79c1f8ecd8c585 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 4a64717753e61d0ea622a0c73476a024757e5c9d2beddac6d5d2b3f9ddd12788 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 3d93d990c333ce0eba43fa4acce56856b76c4c57c87c6e9226d42fcd6ed2e14a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html ccff9c40654f28b938660750d37a82dbfff9bc0c7e63c355af8790db71cfa2de 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 3e666259dd58539f9d0a879ff26dbee60974d74eca5226d0f0a5a2f1ae691270 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 045a1812012a42f782504165e42274a04abdd53955914f13950ec27577fe0eae 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 0b36190b205044a0ea8da9254fd05e51ed4719b7b8878446946fad846cb5c56e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 0d9df8a841d1359f98915f7dfa70d57256ca7d2d0ded15b6031b96474ffe1bc2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 8d65f27dd3efcd2af3a4b3f75b724496ba399f8f8ead3a61c21e07a7a6fcf4f7 2
@@ -217,6 +217,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 3c07a6908a00292286b821de2cb20234e7bb3b49d0270c3ba47a5c925c2c8603 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 667b9693d854fbfd886d3acb5789d262797acb5bb2404f35f86cbe6371fdc5cc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 99c382586a7f77f72ed3d30a4625c24727aa8a1290c9177a902618591be44d43 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 3d2107a3e34bd333d78ca31d055cae1503df9029b4b5dd0db99ccdd8f16b3772 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 4eed6f69c4a306cb26a61ba4d71dab8e8057ab88d6ccc9f1fc16ba926d2b74dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 6f7bb673d7d6a1717160cdd1acf3535acec82d48e458dd42bc1bdeeebc88ebd5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html ab1a620c2c09ada364676ecd255f10aae74c367f7a82253bbd10b3a663804bdf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html b0e42480f0b9054197036057754fffb3db17a0ffa50014032f82ebc383df9602 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html ae585b18e72f51ff8b7bebc64accf2f6887384d15284ae1717d70d3195d35815 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 228a32ec9ea4fbd80d63e2f7005a3d048a95f2cc16a596ddda18ed7b5a0de20e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 264f8a49632919e34632095d58c06ecece88b63614dee27ba10d1491cf8d5eb6 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 6e34954ad59f70b9ed15975c2f9ab4802a321e6f8f83466a831d50b0648b40dd 2
@@ -224 +224 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html f13128fed3de0d546cd188f82bbeb7e75b7ced6e7ccee4313fb59f631cbf6385 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html e22398fa81a48fb7f4e3be49f09c3c7cfe6d3c24d08a932bc21dde3954b0cd52 2
@@ -281,3 +281,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 01b39d62b706f3a7807621ba55c54cea7910f31b87f12c3a5ebbfff031b32b33 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml d0b743750b0828e0dea89b619a08f025d272591bd329a6567569439bf32ef74b 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 820e1ebd7dfaa1b4dae222d207349f8dd99e476fca5b58b3a2cf77dab5f0131b 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml c07b69caa2f36ae4d117a8fd0795b790dc1ff8cae7fbbd6a2416835f3ec89399 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml f4f1629dc168768bb5887e926bb51f1e3949c29c2b84dc7e97e681aef1347f26 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml bae6847c0bce08b5589c225e0f08936736fb4e072eae4dd591af81a717c5b5e3 0
@@ -285 +285 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 3f901051093996a65eedbb05af4196b8a85390c88509d456d19953395d1f0af7 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 58e5608ecc6fc6f3b35a8c6c6552e4e60edb330c927c2b9d8a03af80f17ed32f 0
@@ -288,3 +288,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 0314547c84d9929a895a9c9cde5bc162def4c07899ef7664157a421a300585bb 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml c7b74a9231956a72a446ca256c55a8255061570cb89704d2bb4f2e644b6a44ac 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml d3b50f05df52a5bdd259eeedcbbae90203512dfe89a317cd40212e652df58612 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml cfcbf4f4845a8ce2be8a9cb90c2135f7833c5081c9456148287e1322998a83b5 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml a9fc2cbe1ed94fe85439998030b4074f67001cf51a266d08224f8bbea5b0305b 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml f5fe1ad8ed2474496a816239a24a004772c7d6f60f6874d1f8060ea1a2dba94a 0
@@ -292 +292 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml a12539cfdf2b3f59a4494fbe6c8457018f6934a7dfa5e166fefdb2d15ec0bdd4 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 53294d9005fe6fb89c673af6976749af5b28f16842dbf3bec62769c8c3afc792 0
@@ -295,3 +295,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 56c7a6793796e6ae0b17138d70ec6e65282977f4a31a508ed9c8ddfa36d27ca4 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 6c6a72487f0c579086bf6a08a7808af9752a78f8b0aa6b53f9483eb33ebd7239 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 4aee002c05099f97fda457d4882e9c15d700d9f42e0b0765faae609aad57b09b 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml bd1bc95864f58c0f512af3fe5aa108b9bc03951738c6a89552091a9dd988c364 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml ff284ea40e6340fd63aa0dcffe00dc4e6edc6abe8b0145dbc3b35ae3af976d83 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml dae162f0a2c68bc2795d9be30a188e6b1f4263afd6f393db09b6bc642b320c38 0
@@ -299 +299 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 8f724c8dc3a0acf6f451a60f2baa9f65038d6e9cc318e55a95ee667f716445cb 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml bc58f3ddae2bbbbb763b66d0d3485e0f071fad9adf362ab3352bdcead86c2c45 0
@@ -302,3 +302,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml b6fc26eaa152f3532ddd8994f45877b2a010de74f589d14d25dab46e00e8788a 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 0db922f0a71fc504ea5d1f840e925471a70129406e67d95ef54f327f37f064bc 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml d1ae0a89c8070da6cd25320e4d003d87cf4324c79624d3de939350fdc0dcf354 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 150030a66d39d04a2e3b3c351c037fe804801f18c5e80c2f07ffb2edcfd30084 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml c9009c80237e7d3edac0d7efaac6b89148d151a4ec4f3e9ca6916854801c6086 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 7fe060626d4f9bd3d1390f06635ad4362f29a952748c45653e9c27d477e07795 0
@@ -306 +306 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 6803f30a09e176b60754d7ab9bed9807df67205c9196f1b45e29a329af2ad00c 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 25390955c49a35bb35c23751169e2989560459bdd9d31eee2c3eea636c96eec0 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 40 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -333,109 +333,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 22 groups and 46 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -365,15 +365,7 @@
[[packages]]
name = "auditd"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -394,6 +386,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -420,18 +420,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -497,6 +486,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -605,109 +605,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 9 groups and 19 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,8 +243,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group , run the command: $ sudo chgrp root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow , run the command: $ sudo chgrp shadow /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd , run the command: $ sudo chgrp root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow , run the command: $ sudo chgrp shadow /etc/shadow | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group , run the command: $ sudo chown root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns gshadow File
[ref] | To properly set the owner of /etc/gshadow , run the command: $ sudo chown root /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd , run the command: $ sudo chown root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 21 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -365,15 +365,7 @@
[[packages]]
name = "auditd"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -394,6 +386,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -420,18 +420,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -497,6 +486,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -558,109 +558,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 45 rules | Group
@@ -241,15 +241,7 @@
[[packages]]
name = "auditd"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -270,6 +262,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -296,18 +296,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -373,6 +362,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -434,109 +434,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | | |
| Rule
- Ensure Log Files Are Owned By Appropriate User
- [ref] | The owner of all log files written by
-rsyslog should be
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 40 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -333,109 +333,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 22 groups and 46 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -365,15 +365,7 @@
[[packages]]
name = "auditd"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -394,6 +386,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -420,18 +420,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -497,6 +486,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -605,109 +605,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 9 groups and 19 rules | Group
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,8 +243,7 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group , run the command: $ sudo chgrp root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow , run the command: $ sudo chgrp shadow /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd , run the command: $ sudo chgrp root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow , run the command: $ sudo chgrp shadow /etc/shadow | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group , run the command: $ sudo chown root /etc/group | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns gshadow File
[ref] | To properly set the owner of /etc/gshadow , run the command: $ sudo chown root /etc/gshadow | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd , run the command: $ sudo chown root /etc/passwd | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 45 rules | Group
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/ . | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | |
| Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -365,15 +365,7 @@
[[packages]]
name = "auditd"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -394,6 +386,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -420,18 +420,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -497,6 +486,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -558,109 +558,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 71 rules | Group
@@ -340,7 +340,331 @@
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex | Identifiers and References | References:
- BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 45 rules | Group
@@ -239,15 +239,7 @@
[[packages]]
name = "auditd"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -268,6 +260,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -294,18 +294,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -371,6 +360,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -432,109 +432,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | | |
| Rule
- Ensure Log Files Are Owned By Appropriate User
- [ref] | The owner of all log files written by
-rsyslog should be
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 93 groups and 260 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,6 +138,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -167,32 +167,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1, SV-238371r880913_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -379,21 +379,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2, SV-238236r853415_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -513,14 +513,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -556,6 +549,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -619,21 +619,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm3
-# from the system, and may remove any packages
-# that depend on gdm3. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 91 groups and 259 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,6 +138,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -167,32 +167,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1, SV-238371r880913_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -379,21 +379,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2, SV-238236r853415_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -513,14 +513,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -556,6 +549,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -734,15 +734,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 104 groups and 345 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,6 +138,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -167,32 +167,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1, SV-238371r880913_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -379,21 +379,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2, SV-238236r853415_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -513,14 +513,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -556,6 +549,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -664,21 +664,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm3
-# from the system, and may remove any packages
-# that depend on gdm3. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 104 groups and 347 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,6 +138,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -167,32 +167,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1, SV-238371r880913_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -379,21 +379,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2, SV-238236r853415_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -513,14 +513,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -556,6 +549,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -779,15 +779,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 22 groups and 45 rules | Group
@@ -268,15 +268,7 @@
[[packages]]
name = "auditd"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -298,6 +290,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -324,18 +324,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -401,6 +390,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -462,109 +462,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | | |
| Rule
- Ensure Log Files Are Owned By Appropriate User
- [ref] | The owner of all log files written by
-rsyslog should be
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2023-10-17 02:00:00.000000000 +0200
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- APT service configuration
- Base Services
- Deprecated services
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 76 groups and 198 rules | Group
@@ -123,15 +123,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -148,6 +140,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -169,32 +169,7 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1, SV-238371r880913_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -461,21 +461,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2, SV-238236r853415_rule | | |
| Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -928,37 +928,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | Identifiers and References | References:
- 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, UBTU-20-010014, SV-238208r853405_rule | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 102 groups and 291 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -145,6 +137,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,32 +166,7 @@
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -450,21 +450,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -579,14 +579,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -622,6 +615,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -1214,15 +1214,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 98 groups and 285 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -145,6 +137,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,32 +166,7 @@
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -450,21 +450,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -579,14 +579,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -622,6 +615,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -1055,15 +1055,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 113 groups and 387 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -145,6 +137,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,32 +166,7 @@
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -450,21 +450,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -579,14 +579,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -622,6 +615,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -1250,21 +1250,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm
-# from the system, and may remove any packages
-# that depend on gdm. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 2023-10-17 02:00:00.000000000 +0200
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 111 groups and 385 rules | Group
@@ -121,15 +121,7 @@
[[packages]]
name = "aide"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -145,6 +137,14 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,32 +166,7 @@
$ sudo /usr/bin/aide --check
If this check produces any unexpected output, investigate. | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -450,21 +450,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -579,14 +579,7 @@
ensure => 'purged',
}
}
- Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
-if [[ -f /usr/sbin/prelink ]];
-then
-prelink -ua
-fi
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
-
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
+
Remediation Ansible snippet ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
- name: Check If Prelinked Is Installed
ansible.builtin.stat:
path: /usr/sbin/prelink
get_checksum: false
@@ -622,6 +615,13 @@
- medium_severity
- no_reboot_needed
- package_prelink_removed
+
Remediation Shell script ⇲
Complexity: | medium |
---|
Disruption: | low |
---|
Strategy: | disable |
---|
+if [[ -f /usr/sbin/prelink ]];
+then
+prelink -ua
+fi
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "prelink"
|
| Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -1259,15 +1259,7 @@
[[packages]]
name = "sudo"
version = "*"
- Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure sudo is installed
package:
name: sudo
state: present
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html 2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.70 - draft
- (as of 2023-10-20)
+ (as of 2039-11-21)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 22 groups and 45 rules | Group
@@ -267,15 +267,7 @@
[[packages]]
name = "auditd"
version = "*"
-Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Ensure auditd is installed
package:
name: auditd
state: present
@@ -296,6 +288,14 @@
- medium_severity
- no_reboot_needed
- package_audit_installed
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -322,18 +322,7 @@
Remediation OSBuild Blueprint snippet ⇲
[customizations.services]
enabled = ["auditd"]
-
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
+
Remediation Ansible snippet ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -399,6 +388,17 @@
- medium_severity
- no_reboot_needed
- service_auditd_enabled
+
Remediation Shell script ⇲
Complexity: | low |
---|
Disruption: | low |
---|
Strategy: | enable |
---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
|
| Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -460,109 +460,7 @@
$ sudo chgrp adm LOGFILE | Rationale: | The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | Identifiers and References | References:
- BP28(R46), BP28(R5), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001314, 4.3.3.7.3, SR 2.1, SR 5.2, 0988, 1405, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, 10.3.1, 10.3.2 | | |
| Rule
- Ensure Log Files Are Owned By Appropriate User
- [ref] | The owner of all log files written by
-rsyslog should be
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -76,35 +76,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,58 +101,34 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
+
-
+
-
+
@@ -171,24 +136,19 @@
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -196,9 +156,20 @@
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -206,45 +177,74 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -35,7 +35,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -78,35 +78,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -114,58 +103,34 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
+
-
+
-
+
@@ -173,24 +138,19 @@
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -198,9 +158,20 @@
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -208,45 +179,74 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,58 +7,34 @@
2023-10-17T00:00:00
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
-
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
-
-
- Ensure Chrony is only configured with the server directive
-
- ocil:ssg-chronyd_server_directive_action:testaction:1
-
-
-
- Enable auditd Service
-
- ocil:ssg-service_auditd_enabled_action:testaction:1
-
-
-
- Set SSH Daemon LogLevel to VERBOSE
-
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
-
-
-
- Disable legacy (BSD) PTY support
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
+
+ Enable TCP/IP syncookie support
- ocil:ssg-partition_for_var_log_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
@@ -67,160 +43,136 @@
ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
-
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
-
-
Disable Host-Based Authentication
ocil:ssg-disable_host_auth_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
-
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
-
-
-
- Verify Group Who Owns group File
-
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
-
-
- Enable systemd_timesyncd Service
-
- ocil:ssg-service_timesyncd_enabled_action:testaction:1
-
-
-
- Disable SSH Access via Empty Passwords
+
+ Ensure Software Patches Installed
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Ensure that Root's Path Does Not Include World or Group-Writable Directories
+
+ Use Centralized and Automated Authentication
- ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Verify Permissions on SSH Server Public *.pub Key Files
+
+ Disable support for /proc/kkcore
- ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Verify Group Who Owns group File
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Do Not Allow SSH Environment Options
+
+ Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchmodat
+
+ Configure auditd Number of Logs Retained
- ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1
+ ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
-
- Verify User Who Owns Backup gshadow File
+
+ Configure the confidence in TPM for entropy
- ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
+ ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1
-
- Configure Backups of User Data
+
+ Enable cron Service
- ocil:ssg-configure_user_data_backups_action:testaction:1
+ ocil:ssg-service_cron_enabled_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -43,35 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -79,58 +68,34 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
+
-
+
-
+
@@ -138,24 +103,19 @@
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -163,9 +123,20 @@
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
@@ -173,45 +144,74 @@
-
-
-
+
+
+
+
+
+
+
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -76,35 +76,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,59 +107,50 @@
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
-
+
+
+
+
+
+
-
-
+
@@ -172,97 +158,111 @@
-
-
-
+
+
+
-
+
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -76,35 +76,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -112,59 +107,50 @@
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
-
+
+
+
+
+
+
-
-
+
@@ -172,97 +158,111 @@
-
-
-
+
+
+
-
+
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,82 +7,76 @@
2023-10-17T00:00:00
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
-
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
-
-
- Ensure Chrony is only configured with the server directive
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Enable auditd Service
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Enable TCP/IP syncookie support
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Harden SSH client Crypto Policy
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Disable Host-Based Authentication
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
+
+ Ensure Software Patches Installed
- ocil:ssg-partition_for_var_log_action:testaction:1
+ ocil:ssg-security_patches_up_to_date_action:testaction:1
-
- Harden SSH client Crypto Policy
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Use Centralized and Automated Authentication
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable support for /proc/kkcore
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
@@ -91,400 +85,394 @@
ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Enable systemd_timesyncd Service
-
- ocil:ssg-service_timesyncd_enabled_action:testaction:1
-
-
-
- Disable SSH Access via Empty Passwords
+
+ Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1
-
- Specify the hash to use when signing modules
+
+ Configure auditd Number of Logs Retained
- ocil:ssg-kernel_config_module_sig_hash_action:testaction:1
+ ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Configure the confidence in TPM for entropy
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1
-
- Ensure that Root's Path Does Not Include World or Group-Writable Directories
+
+ Enable cron Service
- ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1
+ ocil:ssg-service_cron_enabled_action:testaction:1
-
- Verify Permissions on SSH Server Public *.pub Key Files
+
+ Disable core dump backtraces
- ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
+ ocil:ssg-coredump_disable_backtraces_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Resolve information before writing to audit logs
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Do Not Allow SSH Environment Options
+
+ Verify User Who Owns gshadow File
- ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1
+ ocil:ssg-file_owner_etc_gshadow_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchmodat
+
+ Require modules to be validly signed
- ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -43,35 +43,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -79,59 +74,50 @@
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
-
+
+
+
+
+
+
-
-
+
@@ -139,97 +125,111 @@
-
-
-
+
+
+
-
+
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -76,9 +76,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -86,43 +98,36 @@
-
+
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -130,82 +135,52 @@
-
-
-
-
-
-
+
-
+
-
+
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
+
-
+
-
-
-
-
-
+
-
-
+
-
-
-
+
-
+
-
+
@@ -213,47 +188,45 @@
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -76,9 +76,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -86,43 +98,36 @@
-
+
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -130,82 +135,52 @@
-
-
-
-
-
-
+
-
+
-
+
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
+
-
+
-
-
-
-
-
+
-
-
+
-
-
-
+
-
+
-
+
@@ -213,47 +188,45 @@
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,124 +7,118 @@
2023-10-17T00:00:00
-
- Record Unsuccessful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Ensure ufw Firewall Rules Exist for All Open Ports
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-ufw_rules_for_open_ports_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Enable auditd Service
+
+ Ensure a Table Exists for Nftables
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-set_nftables_table_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Ensure real-time clock is set to UTC
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-ensure_rtc_utc_configuration_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Different Characters
+
+ Enable TCP/IP syncookie support
- ocil:ssg-accounts_password_pam_difok_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Harden SSH client Crypto Policy
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Disable Host-Based Authentication
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Verify that system commands files are group owned by root or a system account
+
+ Uninstall rsh Package
- ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
+
+ Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- ocil:ssg-partition_for_var_log_action:testaction:1
+ ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
-
- Harden SSH client Crypto Policy
+
+ Verify Permissions on crontab
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-file_permissions_crontab_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Use Centralized and Automated Authentication
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Ensure Mail Transfer Agent is not Listening on any non-loopback Address
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-has_nonlocal_mta_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable support for /proc/kkcore
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
@@ -133,1457 +127,1462 @@
ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Verify Owner on crontab
+
+ Configure Accepting Router Advertisements on All IPv6 Interfaces
- ocil:ssg-file_owner_crontab_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
-
- Enable systemd_timesyncd Service
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -43,9 +43,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
@@ -53,43 +65,36 @@
-
+
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -97,82 +102,52 @@
-
-
-
-
-
-
+
-
+
-
+
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
+
-
+
-
-
-
-
-
+
-
-
+
-
-
-
+
-
+
-
+
@@ -180,47 +155,45 @@
-
+
-
-
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -76,15 +76,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -92,53 +98,46 @@
-
+
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -147,73 +146,57 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
+
-
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2023-10-17 02:00:00.000000000 +0200
@@ -33,7 +33,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -76,15 +76,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -92,53 +98,46 @@
-
+
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -147,73 +146,57 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
+
-
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 2023-10-17 02:00:00.000000000 +0200
@@ -7,124 +7,124 @@
2023-10-17T00:00:00
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ Verify All Account Password Hashes are Shadowed
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-accounts_password_all_shadowed_action:testaction:1
-
- Configure Response Mode of ARP Requests for All IPv4 Interfaces
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Configure Kernel Parameter for Accepting Secure Redirects By Default
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
- ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
- Ensure ufw Firewall Rules Exist for All Open Ports
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-ufw_rules_for_open_ports_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Ensure Chrony is only configured with the server directive
+
+ Ensure a Table Exists for Nftables
- ocil:ssg-chronyd_server_directive_action:testaction:1
+ ocil:ssg-set_nftables_table_action:testaction:1
-
- Enable auditd Service
+
+ Ensure real-time clock is set to UTC
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-ensure_rtc_utc_configuration_action:testaction:1
-
- Set SSH Daemon LogLevel to VERBOSE
+
+ Record Events that Modify the System's Network Environment
- ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1
+ ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
-
- Disable legacy (BSD) PTY support
+
+ Enable TCP/IP syncookie support
- ocil:ssg-kernel_config_legacy_ptys_action:testaction:1
+ ocil:ssg-kernel_config_syn_cookies_action:testaction:1
-
- Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+
+ Harden SSH client Crypto Policy
- ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
+ ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
-
- Record Access Events to Audit Log Directory
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
- ocil:ssg-directory_access_var_log_audit_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+
+ Disable Host-Based Authentication
- ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Verify that system commands files are group owned by root or a system account
+
+ Uninstall rsh Package
- ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1
+ ocil:ssg-package_rsh_removed_action:testaction:1
-
- Enable SSH Print Last Log
+
+ Add nodev Option to /var/log/audit
- ocil:ssg-sshd_print_last_log_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
-
- Disable GNOME3 Automounting
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-dconf_gnome_disable_automount_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1
-
- Configure auditd Disk Error Action on Disk Error
+
+ Audit Configuration Files Permissions are 640 or More Restrictive
- ocil:ssg-auditd_data_disk_error_action_action:testaction:1
+ ocil:ssg-file_permissions_audit_configuration_action:testaction:1
-
- Ensure /var/log Located On Separate Partition
+
+ Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- ocil:ssg-partition_for_var_log_action:testaction:1
+ ocil:ssg-accounts_password_pam_ucredit_action:testaction:1
-
- Harden SSH client Crypto Policy
+
+ Verify Permissions on crontab
- ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1
+ ocil:ssg-file_permissions_crontab_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Use Centralized and Automated Authentication
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Disable Host-Based Authentication
+
+ Ensure Mail Transfer Agent is not Listening on any non-loopback Address
- ocil:ssg-disable_host_auth_action:testaction:1
+ ocil:ssg-has_nonlocal_mta_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable support for /proc/kkcore
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_proc_kcore_action:testaction:1
@@ -133,1078 +133,1078 @@
ocil:ssg-file_groupowner_etc_group_action:testaction:1
-
- Verify Owner on crontab
+
+ Configure Accepting Router Advertisements on All IPv6 Interfaces
- ocil:ssg-file_owner_crontab_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 2023-10-17 02:00:00.000000000 +0200
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -43,15 +43,21 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
+
+
+
+
+
+
-
+
-
-
-
+
+
+
@@ -59,53 +65,46 @@
-
+
-
-
-
-
+
-
+
-
+
-
+
-
-
+
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -114,73 +113,57 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
-
-
-
+
+
+
-
+
-
-
+
-
+
-
-
+
-
+
+
+
+
+
+
-
overalldiffered=4 (number of pkgs that are not bit-by-bit identical: 0 is good)
overall=1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|